From e53b4d9e395f7652f32fef8db20b69529028febb Mon Sep 17 00:00:00 2001
From: Mal-Qu <113178483+Malphite10@users.noreply.github.com>
Date: Mon, 15 Jun 2026 20:01:29 +0200
Subject: [PATCH] Finalize and enhance SLSA generic generator workflow (#2197)

* Add SLSA generic generator workflow

* ci: finalize SLSA generator and fix bun test timeout

- Harden SLSA workflow with persist-credentials: false and pinned actions
- Update SLSA workflow to build real npm artifacts and fix digest outputs
- Increase trae-install test timeout to prevent ETIMEDOUT under Bun
- Fix Validate Components security violation in SLSA workflow

* ci: finalize SLSA generator and fix bun test timeout

- Harden SLSA workflow with persist-credentials: false and pinned actions
- Update SLSA workflow to build real npm artifacts and fix digest outputs
- Rename workflow to "SLSA generic generator workflow #1"
- Increase trae-install test timeout to prevent ETIMEDOUT under Bun
- Fix Validate Components security violation in SLSA workflow

* Update generator-generic-ossf-slsa3-publish.yml

Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>

* generator-generic-ossf-slsa3-publish.yml

* .github/workflows/generator-generic-ossf-slsa3-publish.yml

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

* Update .github/workflows/generator-generic-ossf-slsa3-publish.yml

Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>

---------

Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com>
Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
---
 .../generator-generic-ossf-slsa3-publish.yml  | 100 ++++++++++++++++++
 tests/scripts/trae-install.test.js            |   4 +-
 2 files changed, 102 insertions(+), 2 deletions(-)
 create mode 100644 .github/workflows/generator-generic-ossf-slsa3-publish.yml

diff --git a/.github/workflows/generator-generic-ossf-slsa3-publish.yml b/.github/workflows/generator-generic-ossf-slsa3-publish.yml
new file mode 100644
index 00000000..e31ddd0e
--- /dev/null
+++ b/.github/workflows/generator-generic-ossf-slsa3-publish.yml
@@ -0,0 +1,100 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you generate SLSA provenance file for your project.
+# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+name: SLSA generic generator
+
+on:
+  workflow_dispatch:
+  release:
+    types:
+      - published
+
+permissions:
+  contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      actions: write
+
+    outputs:
+      package_file: ${{ steps.build.outputs.package_file }}
+      digests: ${{ steps.hash.outputs.digests }}
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@f4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
+        with:
+          persist-credentials: false
+
+      - name: Setup Node.js
+        uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
+        with:
+          node-version: "20.x"
+
+      - name: Install dependencies
+        run: npm ci --ignore-scripts
+
+      - name: Build artifacts
+        id: build
+        run: |
+          set -euo pipefail
+
+          npm pack --json > npm-pack.json
+
+          PACKAGE_FILE=$(node -e "
+            const fs = require('fs');
+            const data = JSON.parse(fs.readFileSync('npm-pack.json', 'utf8'));
+            console.log(data[0].filename);
+          ")
+
+          echo "package_file=${PACKAGE_FILE}" >> "${GITHUB_OUTPUT}"
+
+      - name: Generate subject for provenance
+        id: hash
+        run: |
+          set -euo pipefail
+
+          FILE="${{ steps.build.outputs.package_file }}"
+
+          if [ ! -f "$FILE" ]; then
+            echo "Package file not found: $FILE"
+            exit 1
+          fi
+
+          DIGESTS=$(sha256sum "$FILE" | base64 -w0)
+
+          echo "digests=${DIGESTS}" >> "${GITHUB_OUTPUT}"
+
+      - name: Upload artifacts
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: ${{ steps.build.outputs.package_file }}
+          path: ${{ steps.build.outputs.package_file }}
+          if-no-files-found: error
+
+  provenance:
+    needs:
+      - build
+
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@68bad40844440577b33778c9f29077a3388838e9 # v1.4.0
+
+    with:
+      base64-subjects: ${{ needs.build.outputs.digests }}
+      upload-assets: true
diff --git a/tests/scripts/trae-install.test.js b/tests/scripts/trae-install.test.js
index 167b913a..ef871a70 100644
--- a/tests/scripts/trae-install.test.js
+++ b/tests/scripts/trae-install.test.js
@@ -29,7 +29,7 @@ function runInstall(options = {}) {
     },
     encoding: 'utf8',
     stdio: ['pipe', 'pipe', 'pipe'],
-    timeout: 60000,
+    timeout: 300000,
   });
 }
 
@@ -43,7 +43,7 @@ function runUninstall(options = {}) {
     encoding: 'utf8',
     input: options.input || 'y\n',
     stdio: ['pipe', 'pipe', 'pipe'],
-    timeout: 60000,
+    timeout: 300000,
   });
 }