Skip to content

Commit 591d25d

Browse files
rsoberano-ldrsoberano-ld
committed
build: adding slsa provenance generation to release-client workflow
1 parent be77902 commit 591d25d

File tree

2 files changed

+48
-0
lines changed

2 files changed

+48
-0
lines changed

.github/actions/sdk-release/action.yml

Lines changed: 30 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,16 @@ inputs:
1818
required: true
1919
sdk_cmake_target:
2020
description: 'CMake target of the sdk, e.g. launchdarkly-cpp-client.'
21+
outputs:
22+
hashes-linux:
23+
description: "base64-encoded sha256 hash of linux build artifacts"
24+
value: ${{ steps.hash-linux.outputs.hashes-linux }}
25+
hashes-windows:
26+
description: "base64-encoded sha256 hash of windows build artifacts"
27+
value: ${{ steps.hash-windows.outputs.hashes-windows }}
28+
hashes-macos:
29+
description: "base64-encoded sha256 hash of macos build artifacts"
30+
value: ${{ steps.hash-macos.outputs.hashes-macos }}
2131

2232
runs:
2333
using: composite
@@ -56,6 +66,12 @@ runs:
5666
type: 'zip'
5767
filename: 'linux-gcc-x64-dynamic.zip'
5868

69+
- name: Hash Linux Build Artifacts for provenance
70+
if: runner.os == 'Linux'
71+
shell: bash
72+
id: hash-linux
73+
run: |
74+
echo "hashes-linux=$(sha256sum linux-gcc-x64-static.zip linux-gcc-x64-dynamic.zip | base64 -w0)" >> "$GITHUB_OUTPUT"
5975
6076
- name: Upload Linux Build Artifacts
6177
if: runner.os == 'Linux'
@@ -118,6 +134,13 @@ runs:
118134
type: 'zip'
119135
filename: 'windows-msvc-x64-dynamic-debug.zip'
120136

137+
- name: Hash Windows Build Artifacts for provenance
138+
if: runner.os == 'Windows'
139+
shell: bash
140+
id: hash-windows
141+
run: |
142+
echo "hashes-windows=$(sha256sum windows-msvc-x64-static.zip windows-msvc-x64-dynamic.zip windows-msvc-x64-static-debug.zip windows-msvc-x64-dynamic-debug.zip | base64 -w0)" >> "$GITHUB_OUTPUT"
143+
121144
- name: Upload Windows Build Artifacts
122145
if: runner.os == 'Windows'
123146
shell: bash
@@ -157,6 +180,13 @@ runs:
157180
type: 'zip'
158181
filename: 'mac-clang-x64-dynamic.zip'
159182

183+
- name: Hash Mac Build Artifacts for provenance
184+
if: runner.os == 'macOS'
185+
shell: bash
186+
id: hash-macos
187+
run: |
188+
echo "hashes-macos=$(sha256sum mac-clang-x64-static.zip mac-clang-x64-dynamic.zip | base64 -w0)" >> "$GITHUB_OUTPUT"
189+
160190
- name: Upload Mac Build Artifacts
161191
if: runner.os == 'macOS'
162192
shell: bash

.github/workflows/release-please.yml

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,10 @@ jobs:
2626
runs-on: ${{ matrix.os }}
2727
needs: [ 'release-please' ]
2828
if: ${{ needs.release-please.outputs.package-client-released }}
29+
outputs:
30+
hashes-linux: ${{ steps.release-client.outputs.hashes-linux }}
31+
hashes-windows: ${{ steps.release-client.outputs.hashes-windows }}
32+
hashes-macos: ${{ steps.release-client.outputs.hashes-macos }}
2933
steps:
3034
- uses: actions/checkout@v3
3135
- id: release-client
@@ -37,3 +41,17 @@ jobs:
3741
github_token: ${{secrets.GITHUB_TOKEN}}
3842
sdk_path: 'libs/client-sdk'
3943
sdk_cmake_target: 'launchdarkly-cpp-client'
44+
45+
release-client-provenance:
46+
needs: ['release-client']
47+
strategy:
48+
matrix:
49+
# Generates a combined attestation for each platform
50+
os: [ linux, windows, macos ]
51+
permissions:
52+
actions: read
53+
id-token: write
54+
contents: write
55+
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
56+
with:
57+
base64-subjects: "${{ needs.release-client.outputs[format('hashes-{0}', matrix.os)] }}"

0 commit comments

Comments
 (0)