build: adding provenance generation for manual workflow

launchdarkly · May 31, 2024 · 12fa042 · 12fa042
1 parent 4ce8a09
commit 12fa042
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 2 deletions.
diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml
@@ -20,9 +20,13 @@ jobs:
     permissions:
       id-token: write
       contents: write
+    outputs:
+      server-sdk-hashes: ${{ steps.server-sdk-release.outputs.hashes }}
+      telemetry-hashes: ${{ steps.telemetry-release.outputs.hashes }}
     steps:
       - uses: actions/checkout@v4
       - uses: ./.github/actions/full-release
+        id: server-sdk-release
         if: ${{ inputs.pkg_name == 'LaunchDarkly.ServerSdk' }}
         with:
           workspace_path: 'pkgs/sdk/server'
@@ -35,6 +39,7 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - uses: ./.github/actions/full-release
+        id: telemetry-release
         if: ${{ inputs.pkg_name == 'LaunchDarkly.ServerSdk.Telemetry' }}
         with:
           workspace_path: 'pkgs/telemetry'
@@ -45,3 +50,32 @@ jobs:
           dry_run: ${{ inputs.dry_run }}
           aws_role: ${{ vars.AWS_ROLE_ARN }}
           token: ${{ secrets.GITHUB_TOKEN }}
+
+  release-sdk-server-provenance:
+    needs: ['build']
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
+    if: ${{ inputs.pkg_name == 'LaunchDarkly.ServerSdk' }}
+    with:
+      base64-subjects: "${{ needs.build.outputs.server-sdk-hashes }}"
+      upload-assets: true
+      upload-tag-name: ${{ input.tag_name }}
+      provenance-name: ${{ format('LaunchDarkly.ServerSdk-{0}_provenance.intoto.jsonl', input.tag_name) }}
+
+
+  release-telemetry-server-provenance:
+    needs: ['build']
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
+    if: ${{ inputs.pkg_name == 'LaunchDarkly.ServerSdk.Telemetry' }}
+    with:
+      base64-subjects: "${{ needs.build.outputs.telemetry-hashes }}"
+      upload-assets: true
+      upload-tag-name: ${{ input.tag_name }}
+      provenance-name: ${{ format('LaunchDarkly.ServerSdk.Telemetry-{0}_provenance.intoto.jsonl', input.tag_name) }}
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -56,7 +56,7 @@ jobs:
       base64-subjects: "${{ needs.release-sdk-server.outputs.hashes }}"
       upload-assets: true
       upload-tag-name: ${{ needs.release-please.outputs.tag_name }}
-      provenance-name: ${{ format('ldcli_{0}_multiple_provenance.intoto.jsonl', needs.release-please.outputs.tag_name) }}
+      provenance-name: ${{ format('LaunchDarkly.ServerSdk-{0}_provenance.intoto.jsonl', needs.release-please.outputs.tag_name) }}
 
   release-telemetry:
     runs-on: ubuntu-latest
@@ -93,4 +93,4 @@ jobs:
       base64-subjects: "${{ needs.release-telemetry.outputs.hashes }}"
       upload-assets: true
       upload-tag-name: ${{ needs.release-please.outputs.tag_name }}
-      provenance-name: ${{ format('ldcli_{0}_multiple_provenance.intoto.jsonl', needs.release-please.outputs.tag_name) }}
+      provenance-name: ${{ format('LaunchDarkly.ServerSdk.Telemetry-{0}_provenance.intoto.jsonl', needs.release-please.outputs.tag_name) }}