github workflow: adding release workflow to have provenance for relea…

…se artifacts This adds a workflow based on the scorecard recommendation for software provenance. The workflow requires some manual actions to verify that the signiture in the release is correct.
kokkos · Aug 8, 2024 · 6163dad · 6163dad
1 parent b11dba2
commit 6163dad
Showing 1 changed file with 83 additions and 0 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -0,0 +1,83 @@
+on:
+  push:
+    tags: '[0-9]+.[0-9]+.[0-9][0-9]'
+
+
+permissions: read-all
+
+jobs:
+  # This step builds our artifacts, uploads them to the workflow run, and
+  # outputs their digest.
+  build:
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Build artifacts
+        run: |
+          git archive -o kokkos-kernels-${{ github.ref_name }}.zip HEAD
+          git archive -o kokkos-kernels-${{ github.ref_name }}.tar.gz HEAD
+
+      - name: Generate hashes
+        shell: bash
+        id: hash
+        run: |
+          # sha256sum generates sha256 hash for all artifacts.
+          # base64 -w0 encodes to base64 and outputs on a single line.
+          echo "hashes=$(sha256sum kokkos-kernels-${{ github.ref_name }}.zip kokkos-kernels-${{ github.ref_name }}.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
+
+      - name: Upload source code (zip)
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+        with:
+          name: kokkos-kernels-${{ github.ref_name }}.zip
+          path: kokkos-kernels-${{ github.ref_name }}.zip
+          if-no-files-found: error
+          retention-days: 5
+
+      - name: Upload source code (tar.gz)
+        uses: actions/upload-artifact@89ef406dd8d7e03cfd12d9e0a4a378f454709029 # v4.3.5
+        with:
+          name: kokkos-kernels-${{ github.ref_name }}.tar.gz
+          path: kokkos-kernels-${{ github.ref_name }}.tar.gz
+          if-no-files-found: error
+          retention-days: 5
+
+  # This step calls the generic workflow to generate provenance.
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      # Upload provenance to a new release
+      upload-assets: true
+      provenance-name: "kokkos-kernels-${{ github.ref_name }}.intoto.jsonl"
+
+  # This step uploads our artifacts to the tagged GitHub release.
+  release:
+    needs: [build, provenance]
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/')
+    steps:
+      - name: Download kokkos-kernels-${{ github.ref_name }}.zip
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: kokkos-kernels-${{ github.ref_name }}.zip
+
+      - name: Download kokkos-kernels-${{ github.ref_name }}.tar.gz
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: kokkos-kernels-${{ github.ref_name }}.tar.gz
+
+      - name: Upload assets
+        uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8
+        with:
+          files: |
+            kokkos-kernels-${{ github.ref_name }}.zip
+            kokkos-kernels-${{ github.ref_name }}.tar.gz