v0.0.53 #6
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Release provenance (SLSA) | |
| # Attaches npm-pack tarballs + a signed SLSA provenance (*.intoto.jsonl) to a | |
| # GitHub Release so OSSF Scorecard's Signed-Releases check can verify them. | |
| # Runs automatically on a published release, and can be dispatched manually | |
| # against an existing tag. `upload-tag-name` lets the dispatch path upload to | |
| # the right release even though github.ref is a branch, not the tag — which | |
| # also sidesteps the "release events run the workflow from the tag commit" | |
| # trap (a fix on main can be exercised by dispatching it against an old tag). | |
| on: | |
| release: | |
| types: [published] | |
| workflow_dispatch: | |
| inputs: | |
| tag: | |
| description: "Existing release tag to attest (e.g. v0.0.50)" | |
| required: true | |
| type: string | |
| permissions: | |
| contents: read | |
| env: | |
| DO_NOT_TRACK: '1' | |
| jobs: | |
| build-artifacts: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write # gh release upload attaches tarballs to the release | |
| outputs: | |
| hashes: ${{ steps.hash.outputs.hashes }} | |
| tag: ${{ steps.tag.outputs.tag }} | |
| env: | |
| NPM_PUBLISHABLE_PROJECTS: chat,langgraph,ag-ui,render,a2ui,licensing,telemetry | |
| steps: | |
| - name: Resolve target tag | |
| id: tag | |
| run: echo "tag=${{ github.event.release.tag_name || inputs.tag }}" >> "$GITHUB_OUTPUT" | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| with: | |
| ref: ${{ steps.tag.outputs.tag }} | |
| - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0 | |
| with: | |
| node-version: 24 | |
| cache: npm | |
| - run: npm ci | |
| - name: Build publishable projects | |
| env: | |
| CACHEPLANE_LICENSE_PUBLIC_KEY: ${{ secrets.CACHEPLANE_LICENSE_PUBLIC_KEY }} | |
| run: npx nx run-many -t build --projects="$NPM_PUBLISHABLE_PROJECTS" --skip-nx-cache | |
| - name: Pack tarballs | |
| run: | | |
| mkdir -p release-artifacts | |
| for p in chat langgraph ag-ui render a2ui licensing telemetry; do | |
| npm pack "dist/libs/$p" --pack-destination release-artifacts | |
| done | |
| - name: Generate subject hashes | |
| id: hash | |
| run: | | |
| cd release-artifacts | |
| echo "hashes=$(sha256sum ./*.tgz | base64 -w0)" >> "$GITHUB_OUTPUT" | |
| - name: Upload tarballs to the release | |
| env: | |
| GH_TOKEN: ${{ github.token }} | |
| run: gh release upload "${{ steps.tag.outputs.tag }}" --clobber -- release-artifacts/*.tgz | |
| provenance: | |
| needs: [build-artifacts] | |
| permissions: | |
| actions: read | |
| id-token: write | |
| contents: write | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 | |
| with: | |
| base64-subjects: ${{ needs.build-artifacts.outputs.hashes }} | |
| upload-assets: true | |
| upload-tag-name: ${{ needs.build-artifacts.outputs.tag }} |