upload provenance separately

3 months ago · d0c02eed26
parent c29e75d54c
commit d0c02eed26
1 changed files with 25 additions and 1 deletions
--- a/.github/workflows/package.yml
+++ b/.github/workflows/package.yml
@ -77,7 +77,31 @@ jobs:
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
    with:
      base64-subjects: "${{ needs.build.outputs.hashes }}"
-      upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }}
      upload-tag-name: "${{ needs.build.outputs.version }}"
      draft-release: true
+      # NOTE: Due to issue with duplicating a draft, we need to download the provenance and
+      #       upload it ourselves via the "upload-provenance" step.
+      # upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }}
+      upload-assets: false
      provenance-name: "c-ares-${{ needs.build.outputs.version }}.intoto.jsonl"
+
+  upload-provenance:
+    needs: [provenance]
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read # To read the workflow path.
+      contents: write # To add assets to a release.
+    steps:
+      - name: Download the provenance
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{needs.provenance.outputs.provenance-name}}
+      - name: Upload Provenance to Release
+        uses: softprops/action-gh-release@v2
+        if: startsWith(github.ref, 'refs/tags/')
+        id: upload-provenance
+        with:
+          name: ${{ needs.build.outputs.version }}
+          draft: true
+          files: ${{needs.provenance.outputs.provenance-name}}
+          fail_on_unmatched_files: true