mirror of
https://github.com/affaan-m/everything-claude-code.git
synced 2026-06-16 16:36:53 +08:00
e53b4d9e39
* Add SLSA generic generator workflow * ci: finalize SLSA generator and fix bun test timeout - Harden SLSA workflow with persist-credentials: false and pinned actions - Update SLSA workflow to build real npm artifacts and fix digest outputs - Increase trae-install test timeout to prevent ETIMEDOUT under Bun - Fix Validate Components security violation in SLSA workflow * ci: finalize SLSA generator and fix bun test timeout - Harden SLSA workflow with persist-credentials: false and pinned actions - Update SLSA workflow to build real npm artifacts and fix digest outputs - Rename workflow to "SLSA generic generator workflow #1" - Increase trae-install test timeout to prevent ETIMEDOUT under Bun - Fix Validate Components security violation in SLSA workflow * Update generator-generic-ossf-slsa3-publish.yml Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> * generator-generic-ossf-slsa3-publish.yml * .github/workflows/generator-generic-ossf-slsa3-publish.yml Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> * Update .github/workflows/generator-generic-ossf-slsa3-publish.yml Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com> --------- Co-authored-by: cubic-dev-ai[bot] <191113872+cubic-dev-ai[bot]@users.noreply.github.com> Co-authored-by: greptile-apps[bot] <165735046+greptile-apps[bot]@users.noreply.github.com>
101 lines
2.8 KiB
YAML
101 lines
2.8 KiB
YAML
# This workflow uses actions that are not certified by GitHub.
|
|
# They are provided by a third-party and are governed by
|
|
# separate terms of service, privacy policy, and support
|
|
# documentation.
|
|
|
|
# This workflow lets you generate SLSA provenance file for your project.
|
|
# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
|
|
# The project is an initiative of the OpenSSF (openssf.org) and is developed at
|
|
# https://github.com/slsa-framework/slsa-github-generator.
|
|
# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
|
|
# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
|
|
name: SLSA generic generator
|
|
|
|
on:
|
|
workflow_dispatch:
|
|
release:
|
|
types:
|
|
- published
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
actions: write
|
|
|
|
outputs:
|
|
package_file: ${{ steps.build.outputs.package_file }}
|
|
digests: ${{ steps.hash.outputs.digests }}
|
|
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@f4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
|
|
with:
|
|
persist-credentials: false
|
|
|
|
- name: Setup Node.js
|
|
uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
|
|
with:
|
|
node-version: "20.x"
|
|
|
|
- name: Install dependencies
|
|
run: npm ci --ignore-scripts
|
|
|
|
- name: Build artifacts
|
|
id: build
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
npm pack --json > npm-pack.json
|
|
|
|
PACKAGE_FILE=$(node -e "
|
|
const fs = require('fs');
|
|
const data = JSON.parse(fs.readFileSync('npm-pack.json', 'utf8'));
|
|
console.log(data[0].filename);
|
|
")
|
|
|
|
echo "package_file=${PACKAGE_FILE}" >> "${GITHUB_OUTPUT}"
|
|
|
|
- name: Generate subject for provenance
|
|
id: hash
|
|
run: |
|
|
set -euo pipefail
|
|
|
|
FILE="${{ steps.build.outputs.package_file }}"
|
|
|
|
if [ ! -f "$FILE" ]; then
|
|
echo "Package file not found: $FILE"
|
|
exit 1
|
|
fi
|
|
|
|
DIGESTS=$(sha256sum "$FILE" | base64 -w0)
|
|
|
|
echo "digests=${DIGESTS}" >> "${GITHUB_OUTPUT}"
|
|
|
|
- name: Upload artifacts
|
|
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
|
|
with:
|
|
name: ${{ steps.build.outputs.package_file }}
|
|
path: ${{ steps.build.outputs.package_file }}
|
|
if-no-files-found: error
|
|
|
|
provenance:
|
|
needs:
|
|
- build
|
|
|
|
permissions:
|
|
actions: read
|
|
id-token: write
|
|
contents: write
|
|
|
|
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@68bad40844440577b33778c9f29077a3388838e9 # v1.4.0
|
|
|
|
with:
|
|
base64-subjects: ${{ needs.build.outputs.digests }}
|
|
upload-assets: true
|