# One-shot workflow to retrofit SLSA provenance onto previously published
# releases. Trigger via "Run workflow" with the existing release tag.
#
# This is intended to be deleted (along with its branch) once the last five
# non-source-only releases each carry a *.intoto.jsonl asset. New releases
# should produce provenance through the regular release workflow rather than
# through this one.

name: backfill-slsa-provenance

on:
  workflow_dispatch:
    inputs:
      tag:
        description: "Existing release tag (e.g. 11.1.4)"
        required: true
        type: string

permissions: read-all

jobs:
  hash:
    name: Hash existing release assets
    runs-on: ubuntu-latest
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}
    steps:
      - name: Download release assets
        env:
          GH_TOKEN: ${{ github.token }}
        run: |
          mkdir dist
          cd dist
          gh release download "${{ inputs.tag }}" \
            --repo "${{ github.repository }}" \
            --pattern 'fmt-*.zip'
          ls -la

      - name: Compute base64-encoded SHA-256 subjects
        id: hash
        working-directory: dist
        run: |
          echo "hashes=$(sha256sum * | base64 -w0)" >> "$GITHUB_OUTPUT"

  provenance:
    needs: [hash]
    permissions:
      actions: read
      id-token: write
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      base64-subjects: ${{ needs.hash.outputs.hashes }}
      provenance-name: "fmt-${{ inputs.tag }}.intoto.jsonl"
      upload-assets: true
      upload-tag-name: ${{ inputs.tag }}