From 4e10535429a391a29246012122ed828a7195852a Mon Sep 17 00:00:00 2001 From: Rouel Joseph Soberano Date: Tue, 23 Jan 2024 16:20:58 -0800 Subject: [PATCH] build: adding provenance steps to manual publish workflow --- .github/workflows/manual-publish.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml index 2472724..6330997 100644 --- a/.github/workflows/manual-publish.yml +++ b/.github/workflows/manual-publish.yml @@ -14,6 +14,8 @@ jobs: permissions: id-token: write contents: read + outputs: + package-hashes: ${{ steps.build.outputs.package-hashes}} steps: - uses: actions/checkout@v4 @@ -31,8 +33,23 @@ jobs: ssm_parameter_pairs: '/production/common/releasing/pypi/token = PYPI_AUTH_TOKEN' - uses: ./.github/actions/build + id: build - uses: ./.github/actions/publish with: token: ${{env.PYPI_AUTH_TOKEN}} dry_run: ${{ inputs.dry_run }} + + release-provenance: + needs: [ 'build-publish' ] + runs-on: ubuntu-latest + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0 + with: + base64-subjects: "${{ needs.build-publish.outputs.package-hashes }}" + upload-assets: true + upload-tag-name: TBD + \ No newline at end of file