ci: SLSA build

.github/workflows/build.yml

@@ -1,25 +1,18 @@
 name: Build
-
 on:
   push:
   pull_request:
-
-permissions:
-  contents: read
-  pull-requests: read
+  workflow_dispatch:
+  release:
+    types: [created]
 
 jobs:
-    build:
-      continue-on-error: true  
-      strategy:
-        fail-fast: false
-        matrix:
-          os: [ ubuntu-latest ]
-          app: [ web ]
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      digests: ${{ steps.hash.outputs.digests }}
 
-      name: Building ${{ matrix.app }} on ${{ matrix.os }}
-      runs-on: ${{ matrix.os }}
-      steps:
+    steps:
       - name: Checkout the repository
         uses: actions/checkout@v4
 
@@ -29,4 +22,33 @@ jobs:
       - name: Build
         run: | 
           flutter pub get
-          flutter build ${{ matrix.app }}
+          flutter build web --release
+
+      - name: Build artifacts
+        run: |
+            echo "build/web/*" > artifact1
+
+      - name: Generate subject for provenance
+        id: hash
+        run: |
+          set -euo pipefail
+
+          # List the artifacts the provenance will refer to.
+          files=$(ls artifact*)
+          # Generate the subjects (base64 encoded).
+          echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: web
+          path: build/web
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.digests }}"

.github/workflows/generator-generic-ossf-slsa3-publish.yml

@@ -0,0 +1,59 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you generate SLSA provenance file for your project.
+# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA generic generator
+on:
+  workflow_dispatch:
+  release:
+    types: [created]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      digests: ${{ steps.hash.outputs.digests }}
+
+    steps:
+      - name: Checkout the repository
+        uses: actions/checkout@v4
+
+      - name: Setup Flutter
+        uses: subosito/flutter-action@v2
+
+      - name: Build
+        run: | 
+          flutter pub get
+          flutter build web --release
+      - name: Build artifacts
+        run: |
+            echo "build/web/*" > artifact1
+
+      - name: Generate subject for provenance
+        id: hash
+        run: |
+          set -euo pipefail
+
+          # List the artifacts the provenance will refer to.
+          files=$(ls artifact*)
+          # Generate the subjects (base64 encoded).
+          echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.digests }}"
+      upload-assets: true # Optional: Upload to a new release