aboutsummaryrefslogtreecommitdiff
path: root/.github/workflows
diff options
context:
space:
mode:
authorDarius Jahandarie <djahandarie@gmail.com>2023-10-01 12:24:28 +0900
committerDarius Jahandarie <djahandarie@gmail.com>2023-10-01 12:25:21 +0900
commit947f933f14311ecc22314e173275655cbe1e5ad9 (patch)
treecb6f4f4d4df87c8372e5936b00c4e4491edf9c83 /.github/workflows
parent0fa8d441a269b13474e6ad4108f49497d4d3abfd (diff)
Add SLSA provenance to releases
Diffstat (limited to '.github/workflows')
-rw-r--r--.github/workflows/create-prerelease-on-tag.yml21
-rw-r--r--.github/workflows/publish-firefox-development.yml20
2 files changed, 39 insertions, 2 deletions
diff --git a/.github/workflows/create-prerelease-on-tag.yml b/.github/workflows/create-prerelease-on-tag.yml
index 0061ed2a..cd101801 100644
--- a/.github/workflows/create-prerelease-on-tag.yml
+++ b/.github/workflows/create-prerelease-on-tag.yml
@@ -7,11 +7,13 @@ on:
permissions:
contents: read
jobs:
- build-release-publish:
+ build:
runs-on: ubuntu-latest
permissions:
actions: write
contents: write
+ outputs:
+ hashes: ${{ steps.hash.outputs.hashes }}
steps:
- uses: actions/checkout@v4
@@ -24,6 +26,12 @@ jobs:
run: npm run-script build -- --all --yomitan-version ${{ github.ref_name }}
shell: bash
+ - name: Generate hashes
+ id: hash
+ run: |
+ cd builds
+ echo "hashes=$(sha256sum * | base64 -w0)" >> "$GITHUB_OUTPUT"
+
- name: Release
id: release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # pin@v0.1.15
@@ -46,3 +54,14 @@ jobs:
token: ${{ secrets.GITHUB_TOKEN }}
wait-for-completion: false
inputs: '{ "upload_url": "${{ steps.release.outputs.upload_url }}" }'
+
+ provenance:
+ needs: [build]
+ permissions:
+ actions: read # To read the workflow path.
+ id-token: write # To sign the provenance.
+ contents: write # To add assets to a release.
+ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@07e64b653f10a80b6510f4568f685f8b7b9ea830
+ with:
+ base64-subjects: "${{ needs.build.outputs.hashes }}"
+ upload-assets: true
diff --git a/.github/workflows/publish-firefox-development.yml b/.github/workflows/publish-firefox-development.yml
index f704e365..cf386cef 100644
--- a/.github/workflows/publish-firefox-development.yml
+++ b/.github/workflows/publish-firefox-development.yml
@@ -12,11 +12,13 @@ on:
permissions:
contents: read
jobs:
- build-signed-xpi-asset:
+ build:
runs-on: ubuntu-latest
environment: cd
permissions:
contents: write
+ outputs:
+ hashes: ${{ steps.hash.outputs.hashes }}
steps:
- uses: robinraju/release-downloader@efa4cd07bd0195e6cc65e9e30c251b49ce4d3e51 # pin@v1.8
with:
@@ -41,6 +43,11 @@ jobs:
steps.ffSignXpi.outputs.sameVersionAlreadyUploadedError != 'true'
run: exit 1
+ - name: Generate hashes
+ id: hash
+ run: |
+ echo "hashes=$(sha256sum yomitan-firefox-dev.xpi | base64 -w0)" >> "$GITHUB_OUTPUT"
+
- name: Upload offline xpi release asset
id: uploadReleaseAsset
if: steps.ffSignXpi.outcome == 'success'
@@ -86,3 +93,14 @@ jobs:
uses: ad-m/github-push-action@29f05e01bb17e6f28228b47437e03a7b69e1f9ef # pin@master
with:
branch: metadata
+
+ provenance:
+ needs: [build]
+ permissions:
+ actions: read # To read the workflow path.
+ id-token: write # To sign the provenance.
+ contents: write # To add assets to a release.
+ uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@07e64b653f10a80b6510f4568f685f8b7b9ea830
+ with:
+ base64-subjects: "${{ needs.build.outputs.hashes }}"
+ upload-assets: true