Skip to content

SLSA Provenance

SLSA Provenance #12

Workflow file for this run

name: SLSA Provenance
on:
release:
types: [created]
workflow_dispatch:
permissions: read-all
jobs:
build:
strategy:
matrix:
os: [macos-13, macos-14]
runs-on: ${{ matrix.os }}
outputs:
hash-darwin-x86_64: ${{ steps.hash.outputs.hash-darwin-x86_64 }}
hash-darwin-arm64: ${{ steps.hash.outputs.hash-darwin-arm64 }}
archive-darwin-x86_64: ${{ steps.archive.outputs.archive-darwin-x86_64 }}
archive-darwin-arm64: ${{ steps.archive.outputs.archive-darwin-arm64 }}
steps:
- name: Checkout repository
uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
- name: Install dependencies
run: brew install popt
- id: arch
name: Get machine hardware name
run: |
arch=$(uname -m)
if [[ "${arch}" != "x86_64" && "${arch}" != "arm64" ]]; then
echo "Unexpected machine hardware name: ${arch}"
exit 1
fi
echo "name=${arch}" >> "$GITHUB_OUTPUT"
- id: artifact
name: Generate build artifact
run: |
cmake -S . -B build
cmake --build build
output_dir="build/src"
artifact="flog"
if [[ ! -f "${output_dir}/${artifact}" ]]; then
echo "Failed to generate build artifact: ${output_dir}/${artifact}"
exit 1
fi
echo "dir=${output_dir}" >> "$GITHUB_OUTPUT"
echo "name=${artifact}" >> "$GITHUB_OUTPUT"
- id: archive
name: Compress build artifact
run: |
archive="flog-${GITHUB_REF_NAME}-darwin-${{ steps.arch.outputs.name }}.tar.xz"
tar -cvJf "${archive}" -C "${{ steps.artifact.outputs.dir }}" "${{ steps.artifact.outputs.name }}"
echo "name=${archive}" >> "$GITHUB_OUTPUT"
echo "archive-darwin-${{ steps.arch.outputs.name }}=${archive}" >> "$GITHUB_OUTPUT"
- id: hash
name: Generate build artifact hash
run: |
set -o pipefail
shasum -a 256 "${{ steps.archive.outputs.name }}" > "${{ steps.archive.outputs.name }}.sha256"
b64_hash=$(cat "${{ steps.archive.outputs.name }}.sha256" | base64)
echo "hash-darwin-${{ steps.arch.outputs.name }}=${b64_hash}" >> "$GITHUB_OUTPUT"
- name: Upload build artifact
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ steps.archive.outputs.name }}
path: ${{ steps.archive.outputs.name }}
if-no-files-found: error
retention-days: 7
- name: Upload SHA-256 checksum file
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
with:
name: ${{ steps.archive.outputs.name }}.sha256
path: ${{ steps.archive.outputs.name }}.sha256
if-no-files-found: error
retention-days: 7
combine_hashes:
needs: [build]
runs-on: ubuntu-latest
outputs:
hashes: ${{ steps.hashes.outputs.hashes }}
env:
HASHES: ${{ toJSON(needs.build.outputs) }}
steps:
- id: hashes
run: |
echo "$HASHES" | jq -r 'with_entries(select(.key | match("hash-.*-.*")))[] | @base64d' | sed "/^$/d" > hashes.txt
echo "hashes=$(cat hashes.txt | base64 -w0)" >> "$GITHUB_OUTPUT"
provenance:
needs: [combine_hashes]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # Must specify version tag; see https://github.com/slsa-framework/slsa-verifier/issues/12
with:
base64-subjects: ${{ needs.combine_hashes.outputs.hashes }}
provenance-name: flog.multiple.intoto.jsonl
release:
needs: [build, provenance]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/v')
steps:
- name: Download x86_64 build artifact
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.archive-darwin-x86_64 }}
- name: Download arm64 build artifact
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
with:
name: ${{ needs.build.outputs.archive-darwin-arm64 }}
- name: Upload release assets
uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
with:
files: |
${{ needs.build.outputs.archive-darwin-x86_64 }}
${{ needs.build.outputs.archive-darwin-arm64 }}