From 2a24d1ae2e595db3d47fffee374c620e47e35d46 Mon Sep 17 00:00:00 2001
From: Victor Zverovich <victor.zverovich@gmail.com>
Date: Sun, 31 May 2026 09:08:03 -0700
Subject: [PATCH] Add a temporary workflow to backfill SLSA provenance for
 existing releases

---
 .../workflows/backfill-slsa-provenance.yml    | 56 +++++++++++++++++++
 1 file changed, 56 insertions(+)
 create mode 100644 .github/workflows/backfill-slsa-provenance.yml

diff --git a/.github/workflows/backfill-slsa-provenance.yml b/.github/workflows/backfill-slsa-provenance.yml
new file mode 100644
index 00000000..17bb2754
--- /dev/null
+++ b/.github/workflows/backfill-slsa-provenance.yml
@@ -0,0 +1,56 @@
+# One-shot workflow to retrofit SLSA provenance onto previously published
+# releases. Trigger via "Run workflow" with the existing release tag.
+#
+# This is intended to be deleted (along with its branch) once the last five
+# non-source-only releases each carry a *.intoto.jsonl asset. New releases
+# should produce provenance through the regular release workflow rather than
+# through this one.
+
+name: backfill-slsa-provenance
+
+on:
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Existing release tag (e.g. 11.1.4)"
+        required: true
+        type: string
+
+permissions: read-all
+
+jobs:
+  hash:
+    name: Hash existing release assets
+    runs-on: ubuntu-latest
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    steps:
+      - name: Download release assets
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          mkdir dist
+          cd dist
+          gh release download "${{ inputs.tag }}" \
+            --repo "${{ github.repository }}" \
+            --pattern 'fmt-*.zip'
+          ls -la
+
+      - name: Compute base64-encoded SHA-256 subjects
+        id: hash
+        working-directory: dist
+        run: |
+          echo "hashes=$(sha256sum * | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+  provenance:
+    needs: [hash]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: ${{ needs.hash.outputs.hashes }}
+      provenance-name: "fmt-${{ inputs.tag }}.intoto.jsonl"
+      upload-assets: true
+      upload-tag-name: ${{ inputs.tag }}