From 4fe5c5ea427503bdb32c56778d59fab2e9872647 Mon Sep 17 00:00:00 2001
From: Pun Butrach <pun.butrach@gmail.com>
Date: Thu, 15 Feb 2024 10:09:23 +0700
Subject: [PATCH 1/4] Create generator-generic-ossf-slsa3-publish.yml

Signed-off-by: Pun Butrach <pun.butrach@gmail.com>
---
 .../generator-generic-ossf-slsa3-publish.yml  | 59 +++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 .github/workflows/generator-generic-ossf-slsa3-publish.yml

diff --git a/.github/workflows/generator-generic-ossf-slsa3-publish.yml b/.github/workflows/generator-generic-ossf-slsa3-publish.yml
new file mode 100644
index 0000000..16c9bc6
--- /dev/null
+++ b/.github/workflows/generator-generic-ossf-slsa3-publish.yml
@@ -0,0 +1,59 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you generate SLSA provenance file for your project.
+# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA generic generator
+on:
+  workflow_dispatch:
+  release:
+    types: [created]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      digests: ${{ steps.hash.outputs.digests }}
+
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@v4
+
+      - name: Setup Flutter
+        uses: subosito/flutter-action@v2
+      
+      - name: Build
+        run: | 
+          flutter pub get
+          flutter build web --release
+      - name: Build artifacts
+        run: |
+            echo "build/web/*" > artifact1
+            
+      - name: Generate subject for provenance
+        id: hash
+        run: |
+          set -euo pipefail
+
+          # List the artifacts the provenance will refer to.
+          files=$(ls artifact*)
+          # Generate the subjects (base64 encoded).
+          echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.digests }}"
+      upload-assets: true # Optional: Upload to a new release

From 399d0510652e2593259972611cced33c81023b6b Mon Sep 17 00:00:00 2001
From: Pun Butrach <pun.butrach@gmail.com>
Date: Thu, 15 Feb 2024 10:20:13 +0700
Subject: [PATCH 2/4] Update build.yml

Signed-off-by: Pun Butrach <pun.butrach@gmail.com>
---
 .github/workflows/build.yml | 51 ++++++++++++++++++++++++-------------
 1 file changed, 33 insertions(+), 18 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index edbc1fe..4035120 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,25 +1,16 @@
 name: Build
-
 on:
-  push:
-  pull_request:
-
-permissions:
-  contents: read
-  pull-requests: read
+  workflow_dispatch:
+  release:
+    types: [created]
 
 jobs:
-    build:
-      continue-on-error: true  
-      strategy:
-        fail-fast: false
-        matrix:
-          os: [ ubuntu-latest ]
-          app: [ web ]
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      digests: ${{ steps.hash.outputs.digests }}
 
-      name: Building ${{ matrix.app }} on ${{ matrix.os }}
-      runs-on: ${{ matrix.os }}
-      steps:
+    steps:
       - name: Checkout the repository
         uses: actions/checkout@v4
 
@@ -29,4 +20,28 @@ jobs:
       - name: Build
         run: | 
           flutter pub get
-          flutter build ${{ matrix.app }}
+          flutter build web --release
+      - name: Build artifacts
+        run: |
+            echo "build/web/*" > artifact1
+            
+      - name: Generate subject for provenance
+        id: hash
+        run: |
+          set -euo pipefail
+
+          # List the artifacts the provenance will refer to.
+          files=$(ls artifact*)
+          # Generate the subjects (base64 encoded).
+          echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.digests }}"
+      upload-assets: true # Optional: Upload to a new release

From f454e339b29c6016fd0041947edb7f3ad107868b Mon Sep 17 00:00:00 2001
From: Pun Butrach <pun.butrach@gmail.com>
Date: Thu, 15 Feb 2024 10:21:53 +0700
Subject: [PATCH 3/4] Update build.yml

Signed-off-by: Pun Butrach <pun.butrach@gmail.com>
---
 .github/workflows/build.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index 4035120..d4f3343 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -1,5 +1,7 @@
 name: Build
 on:
+  push:
+  pull_request:
   workflow_dispatch:
   release:
     types: [created]

From 0be0e9ee795a707e71f3737a519782172534cbbd Mon Sep 17 00:00:00 2001
From: Pun Butrach <pun.butrach@gmail.com>
Date: Thu, 15 Feb 2024 14:13:14 +0700
Subject: [PATCH 4/4] Attempt to fix CI

Signed-off-by: Pun Butrach <pun.butrach@gmail.com>
---
 .github/workflows/build.yml | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
index d4f3343..988de0f 100644
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -23,6 +23,7 @@ jobs:
         run: | 
           flutter pub get
           flutter build web --release
+          
       - name: Build artifacts
         run: |
             echo "build/web/*" > artifact1
@@ -36,6 +37,11 @@ jobs:
           files=$(ls artifact*)
           # Generate the subjects (base64 encoded).
           echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
+          
+      - uses: actions/upload-artifact@v4
+        with:
+          name: web
+          path: build/web
 
   provenance:
     needs: [build]
@@ -43,7 +49,6 @@ jobs:
       actions: read
       id-token: write
       contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
     with:
       base64-subjects: "${{ needs.build.outputs.digests }}"
-      upload-assets: true # Optional: Upload to a new release