diff options
author | Darius Jahandarie <djahandarie@gmail.com> | 2023-10-01 12:24:28 +0900 |
---|---|---|
committer | Darius Jahandarie <djahandarie@gmail.com> | 2023-10-01 12:25:21 +0900 |
commit | 947f933f14311ecc22314e173275655cbe1e5ad9 (patch) | |
tree | cb6f4f4d4df87c8372e5936b00c4e4491edf9c83 | |
parent | 0fa8d441a269b13474e6ad4108f49497d4d3abfd (diff) |
Add SLSA provenance to releases
-rw-r--r-- | .github/workflows/create-prerelease-on-tag.yml | 21 | ||||
-rw-r--r-- | .github/workflows/publish-firefox-development.yml | 20 |
2 files changed, 39 insertions, 2 deletions
diff --git a/.github/workflows/create-prerelease-on-tag.yml b/.github/workflows/create-prerelease-on-tag.yml index 0061ed2a..cd101801 100644 --- a/.github/workflows/create-prerelease-on-tag.yml +++ b/.github/workflows/create-prerelease-on-tag.yml @@ -7,11 +7,13 @@ on: permissions: contents: read jobs: - build-release-publish: + build: runs-on: ubuntu-latest permissions: actions: write contents: write + outputs: + hashes: ${{ steps.hash.outputs.hashes }} steps: - uses: actions/checkout@v4 @@ -24,6 +26,12 @@ jobs: run: npm run-script build -- --all --yomitan-version ${{ github.ref_name }} shell: bash + - name: Generate hashes + id: hash + run: | + cd builds + echo "hashes=$(sha256sum * | base64 -w0)" >> "$GITHUB_OUTPUT" + - name: Release id: release uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # pin@v0.1.15 @@ -46,3 +54,14 @@ jobs: token: ${{ secrets.GITHUB_TOKEN }} wait-for-completion: false inputs: '{ "upload_url": "${{ steps.release.outputs.upload_url }}" }' + + provenance: + needs: [build] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@07e64b653f10a80b6510f4568f685f8b7b9ea830 + with: + base64-subjects: "${{ needs.build.outputs.hashes }}" + upload-assets: true diff --git a/.github/workflows/publish-firefox-development.yml b/.github/workflows/publish-firefox-development.yml index f704e365..cf386cef 100644 --- a/.github/workflows/publish-firefox-development.yml +++ b/.github/workflows/publish-firefox-development.yml @@ -12,11 +12,13 @@ on: permissions: contents: read jobs: - build-signed-xpi-asset: + build: runs-on: ubuntu-latest environment: cd permissions: contents: write + outputs: + hashes: ${{ steps.hash.outputs.hashes }} steps: - uses: robinraju/release-downloader@efa4cd07bd0195e6cc65e9e30c251b49ce4d3e51 # pin@v1.8 with: @@ -41,6 +43,11 @@ jobs: steps.ffSignXpi.outputs.sameVersionAlreadyUploadedError != 'true' run: exit 1 + - name: Generate hashes + id: hash + run: | + echo "hashes=$(sha256sum yomitan-firefox-dev.xpi | base64 -w0)" >> "$GITHUB_OUTPUT" + - name: Upload offline xpi release asset id: uploadReleaseAsset if: steps.ffSignXpi.outcome == 'success' @@ -86,3 +93,14 @@ jobs: uses: ad-m/github-push-action@29f05e01bb17e6f28228b47437e03a7b69e1f9ef # pin@master with: branch: metadata + + provenance: + needs: [build] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@07e64b653f10a80b6510f4568f685f8b7b9ea830 + with: + base64-subjects: "${{ needs.build.outputs.hashes }}" + upload-assets: true |