diff --git a/.github/workflows/java-build-for-release.yml b/.github/workflows/java-build-for-release.yml index 3d88ed1d..c7ddd246 100644 --- a/.github/workflows/java-build-for-release.yml +++ b/.github/workflows/java-build-for-release.yml @@ -56,28 +56,12 @@ jobs: path: ./java/build/release/ if-no-files-found: error - provenance: - needs: [build, strip-tag] - permissions: - actions: read # To read the workflow path. - id-token: write # To sign the provenance. - contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 - with: - attestation-name: "protobuf-specs-${{ needs.strip-tag.outputs.version }}.attestation.intoto.jsonl" - base64-subjects: "${{ needs.build.outputs.hashes }}" - create-release: runs-on: ubuntu-latest needs: [provenance, build] permissions: contents: write # To draft a release steps: - - name: Download attestation - uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2 - with: - name: "${{ needs.provenance.outputs.attestation-name }}" - path: ./release/ - name: Download gradle release artifacts uses: actions/download-artifact@eaceaf801fd36c7dee90939fad912460b18a1ffe # v4.1.2 with: @@ -90,3 +74,17 @@ jobs: tag_name: ${{ github.ref_name }} files: ./release/* draft: true + + provenance: + needs: [build, strip-tag, create-release] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + with: + attestation-name: "protobuf-specs-${{ needs.strip-tag.outputs.version }}.attestation.intoto.jsonl" + upload-assets: true + base64-subjects: "${{ needs.build.outputs.hashes }}" + upload-tag-name: "${{ github.ref_name }}" # Upload to tag rather than generate a new release + draft-release: true