The source-zip build moved to CI, which configured out-of-source and never
ran the doc target, so the pre-rendered HTML docs (doc-html/) silently
dropped out of the package. Install the doc toolchain, build the docs, and
stage them into the source tree before package_source so CPack picks them up.
The lint workflow was path-filtered to source files, so PRs that didn't
touch them never ran clang-format/cmake-format. Since those checks are
required, such PRs were blocked forever waiting for a status that never
came. Drop the paths filter so the workflow always reports a status.
The provenance job called the SLSA generator with contents: read, but the
generator's upload-assets job declares contents: write. A reusable
workflow's job permissions may not exceed the caller's, so GitHub failed
the run at startup. Grant contents: write; the upload-assets job is still
skipped at runtime since upload-assets is false.
With upload-assets the SLSA generator created and published its own
release (and tag) to host the attestation, duplicating the draft. Disable
upload-assets and add a job that downloads the provenance artifact and
attaches it to the draft alongside the source zip.
Draft releases do not fire the `release: created` event, so the release
workflow never ran and the source zip and SLSA provenance were not
attached to the draft. Trigger the workflow explicitly from release.py
via workflow_dispatch, passing the tag to attach to and the ref to build
from, and resolve the tag/ref in the workflow for both event types.
Re-enable generation of the api.html redirect page during docs deploy so
legacy links such as api.html#udt forward to the new MkDocs api/ page with
their URL hash preserved.
Match the naming convention used by the other workflows: lowercase,
single-word names that describe what the workflow does rather than the
tool it uses. Also rename the job from Fuzzing to fuzz for consistency.
Adds .github/workflows/release.yml, triggered on `release: created`, which:
- checks out the release's target_commitish,
- builds the source zip via CMake/CPack (`package_source`),
- uploads the zip to the draft release,
- calls slsa-framework/slsa-github-generator to produce a
SLSA v1.0 *.intoto.jsonl provenance file and attach it to the
same draft release.
After CI completes, the draft has both the zip and the provenance attached,
and the maintainer reviews and publishes as before.
Updates support/release.py to stop building and uploading the zip locally;
that work has moved to CI so the SLSA provenance attests to the actual
build environment that produced the artifact, not to a hash observed
after the fact. The script still builds docs locally because the
subsequent mkdocs deploy step depends on them.
