# Builds the release source package in CI when a draft release is created # (typically via support/release.py), uploads the zip to that release, and # attaches a SLSA v1.0 provenance attestation generated by the OpenSSF # slsa-github-generator. The maintainer reviews the draft (which by then has # both the zip and *.intoto.jsonl attached) and clicks Publish to finalize. # # This makes the provenance attest to the actual build that produced the # artifact, rather than just attesting to a hash observed after the fact. name: release on: release: types: [created] permissions: read-all jobs: build: name: Build source package runs-on: ubuntu-latest permissions: contents: write outputs: hashes: ${{ steps.hash.outputs.hashes }} package: ${{ steps.build.outputs.package }} steps: - name: Checkout the release ref uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: ref: ${{ github.event.release.target_commitish }} persist-credentials: false - name: Build source zip via CPack id: build run: | cmake -B build . cmake --build build --target package_source pkg=$(ls build/fmt-*.zip) test -f "$pkg" echo "package=$pkg" >> "$GITHUB_OUTPUT" - name: Compute base64-encoded SHA-256 subjects id: hash run: | file="${{ steps.build.outputs.package }}" subjects=$(cd "$(dirname "$file")" && sha256sum "$(basename "$file")") echo "hashes=$(printf '%s' "$subjects" | base64 -w0)" >> "$GITHUB_OUTPUT" - name: Upload zip to the release env: GH_TOKEN: ${{ github.token }} run: | gh release upload "${{ github.event.release.tag_name }}" \ "${{ steps.build.outputs.package }}" \ --repo "${{ github.repository }}" --clobber provenance: needs: [build] permissions: actions: read id-token: write contents: write uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: base64-subjects: ${{ needs.build.outputs.hashes }} provenance-name: "fmt-${{ github.event.release.tag_name }}.intoto.jsonl" upload-assets: true upload-tag-name: ${{ github.event.release.tag_name }}