From 902e43d50023cbc5459d84363d5f6d13b1d03bb1 Mon Sep 17 00:00:00 2001
From: Marc Ransome <marc.ransome@fidgetbox.co.uk>
Date: Sun, 24 Mar 2024 00:42:39 +0000
Subject: [PATCH] Add checksums and in-toto attestations to release

---
 .github/workflows/release.yml | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 04028f4..1f4b5b6 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -15,6 +15,8 @@ jobs:
     outputs:
         hash-darwin-x86_64: ${{ steps.hash.outputs.hash-darwin-x86_64 }}
         hash-darwin-arm64: ${{ steps.hash.outputs.hash-darwin-arm64 }}
+        checksum-darwin-x86_64: ${{ steps.hash.outputs.archive-darwin-x86_64 }}
+        checksum-darwin-arm64: ${{ steps.hash.outputs.archive-darwin-arm64 }}
         archive-darwin-x86_64: ${{ steps.archive.outputs.archive-darwin-x86_64 }}
         archive-darwin-arm64: ${{ steps.archive.outputs.archive-darwin-arm64 }}
     steps:
@@ -61,6 +63,7 @@ jobs:
         shasum -a 256 "${{ steps.archive.outputs.name }}" > "${{ steps.archive.outputs.name }}.sha256"
         b64_hash=$(cat "${{ steps.archive.outputs.name }}.sha256" | base64)
         echo "hash-darwin-${{ steps.arch.outputs.name }}=${b64_hash}" >> "$GITHUB_OUTPUT"
+        echo "checksum-darwin-${{ steps.arch.outputs.name }}=${{ steps.archive.outputs.name }}.sha256" >> "$GITHUB_OUTPUT"
     - name: Upload build artifact
       uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
       with:
@@ -108,13 +111,24 @@ jobs:
         uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         with:
           name: ${{ needs.build.outputs.archive-darwin-x86_64 }}
+      - name: Download x86_64 SHA-256 checksum file
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: ${{ needs.build.outputs.checksum-darwin-x86_64 }}
       - name: Download arm64 build artifact
         uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
         with:
           name: ${{ needs.build.outputs.archive-darwin-arm64 }}
+      - name: Download arm64 SHA-256 checksum file
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: ${{ needs.build.outputs.checksum-darwin-arm64 }}
       - name: Upload release assets
         uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
         with:
           files: |
             ${{ needs.build.outputs.archive-darwin-x86_64 }}
+            ${{ needs.build.outputs.checksum-darwin-x86_64 }}
             ${{ needs.build.outputs.archive-darwin-arm64 }}
+            ${{ needs.build.outputs.checksum-darwin-arm64 }}
+            flog.multiple.intoto.jsonl