diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index edbc1fe..988de0f 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -1,25 +1,18 @@ name: Build - on: push: pull_request: - -permissions: - contents: read - pull-requests: read + workflow_dispatch: + release: + types: [created] jobs: - build: - continue-on-error: true - strategy: - fail-fast: false - matrix: - os: [ ubuntu-latest ] - app: [ web ] + build: + runs-on: ubuntu-latest + outputs: + digests: ${{ steps.hash.outputs.digests }} - name: Building ${{ matrix.app }} on ${{ matrix.os }} - runs-on: ${{ matrix.os }} - steps: + steps: - name: Checkout the repository uses: actions/checkout@v4 @@ -29,4 +22,33 @@ jobs: - name: Build run: | flutter pub get - flutter build ${{ matrix.app }} + flutter build web --release + + - name: Build artifacts + run: | + echo "build/web/*" > artifact1 + + - name: Generate subject for provenance + id: hash + run: | + set -euo pipefail + + # List the artifacts the provenance will refer to. + files=$(ls artifact*) + # Generate the subjects (base64 encoded). + echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" + + - uses: actions/upload-artifact@v4 + with: + name: web + path: build/web + + provenance: + needs: [build] + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0 + with: + base64-subjects: "${{ needs.build.outputs.digests }}" diff --git a/.github/workflows/generator-generic-ossf-slsa3-publish.yml b/.github/workflows/generator-generic-ossf-slsa3-publish.yml new file mode 100644 index 0000000..16c9bc6 --- /dev/null +++ b/.github/workflows/generator-generic-ossf-slsa3-publish.yml @@ -0,0 +1,59 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow lets you generate SLSA provenance file for your project. +# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements +# The project is an initiative of the OpenSSF (openssf.org) and is developed at +# https://github.com/slsa-framework/slsa-github-generator. +# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. +# For more information about SLSA and how it improves the supply-chain, visit slsa.dev. + +name: SLSA generic generator +on: + workflow_dispatch: + release: + types: [created] + +jobs: + build: + runs-on: ubuntu-latest + outputs: + digests: ${{ steps.hash.outputs.digests }} + + steps: + - name: Checkout the repository + uses: actions/checkout@v4 + + - name: Setup Flutter + uses: subosito/flutter-action@v2 + + - name: Build + run: | + flutter pub get + flutter build web --release + - name: Build artifacts + run: | + echo "build/web/*" > artifact1 + + - name: Generate subject for provenance + id: hash + run: | + set -euo pipefail + + # List the artifacts the provenance will refer to. + files=$(ls artifact*) + # Generate the subjects (base64 encoded). + echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" + + provenance: + needs: [build] + permissions: + actions: read + id-token: write + contents: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 + with: + base64-subjects: "${{ needs.build.outputs.digests }}" + upload-assets: true # Optional: Upload to a new release