Move hashing to a publish step

esev · May 8, 2023 · 4f41d5d · 4f41d5d
1 parent 02cc512
commit 4f41d5d
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 23 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -7,9 +7,6 @@ on:
     - pywemo_esev
   workflow_call:
     outputs:
-      hashes:
-        description: "base64 encoded sha256 hashes of dist files"
-        value: ${{ jobs.build.outputs.hashes }}
       version:
         description: "Version of built module"
         value: ${{ jobs.build.outputs.version }}
@@ -21,7 +18,6 @@ jobs:
     name: Build and test
     runs-on: ubuntu-latest
     outputs:
-      hashes: ${{ steps.build.outputs.hashes }}
       version: ${{ steps.build.outputs.version }}
     strategy:
       max-parallel: 4
@@ -39,7 +35,7 @@ jobs:
         run: ./scripts/build.sh
         env:
           OUTPUT_ENV_VAR: ${{ (matrix.python-version == '3.10' && 'GITHUB_OUTPUT') || '' }}
-      # The next two steps only run if OUTPUT_ENV_VAR (above) has a value.
+      # The following steps only run if OUTPUT_ENV_VAR (above) has a value.
       - name: Archive build artifacts
         if: ${{ success() && steps.build.outputs.version }}
         uses: actions/upload-artifact@v3

diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -25,12 +25,35 @@ jobs:
           echo "TAG: $GITHUB_REF_NAME"
           echo "VERSION: $BUILD_VERSION"
           if [[ "$GITHUB_REF_NAME" != "$BUILD_VERSION" ]]; then exit 1; fi
-      - name: Verify checksums match
-        run: echo "${{ needs.build.outputs.hashes }}" | base64 -d | sha256sum -c || exit 1
+
+  hash:
+    name: Generate SHA256 hashes
+    needs: [build, check]
+    runs-on: ubuntu-latest
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    steps:
+      - name: Download dist artifacts
+        uses: actions/download-artifact@v3
+        with:
+          name: dist
+          path: dist
+      - name: Hash dist files
+        id: hash
+        working-directory: dist
+        run: |
+          sha256sum * | tee "pywemo-${{ needs.build.outputs.version }}.sha256sum.txt"
+          echo "hashes=$(sha256sum * | base64 -w0)" | tee -a "$GITHUB_OUTPUT"
+      - name: Archive hashes
+        uses: actions/upload-artifact@v3
+        with:
+          if-no-files-found: error
+          name: hashes
+          path: dist/pywemo-${{ needs.build.outputs.version }}.sha256sum.txt
 
   slsa:
     name: Generate SLSA provenance
-    needs: [build, check]
+    needs: [build, hash]
     permissions:
       # Needed to upload assets to the Github release.
       # TODO: Find a way to remove this:
@@ -43,36 +66,29 @@ jobs:
     uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
     with:
       # SHA-256 hashes of the Python distributions.
-      base64-subjects: ${{ needs.build.outputs.hashes }}
+      base64-subjects: ${{ needs.hash.outputs.hashes }}
       # Provenance file name.
-      provenance-name: pywemo-${{ needs.build.outputs.version }}.intoto.jsonl
+      provenance-name: provenance-pywemo-${{ needs.build.outputs.version }}.intoto.jsonl
 
   sigstore:
     name: Generate Sigstore signatures
-    needs: [build, check]
+    needs: [build, hash]
     runs-on: ubuntu-latest
     permissions:
       # For Sigstore provenance.
       id-token: write 
     steps:
       - name: Download build artifacts
         uses: actions/download-artifact@v3
-        with:
-          name: dist
-          path: dist
-      - name: Output hashes
-        working-directory: dist
-        run: echo "${{ needs.build.outputs.hashes }}" | base64 -d > "pywemo-${{ needs.build.outputs.version }}.sha256sum.txt"
       - name: Sign the release
         uses: sigstore/[email protected]
         with:
-          inputs: ./dist/*
+          inputs: ./dist/* ./hashes/*
           upload-signing-artifacts: true
-          bundle-only: true
 
   assets:
     name: Publish Release assets
-    needs: [build, slsa, sigstore]
+    needs: [build, hash, slsa, sigstore]
     runs-on: ubuntu-latest
     environment: release
     permissions:
@@ -84,7 +100,12 @@ jobs:
       - name: Upload release assets
         env:
           GH_TOKEN: ${{ github.token }}
-        run: gh release upload ${{ github.ref_name }} ./${{ needs.slsa.outputs.provenance-name }}/* ./signing-artifacts-sigstore/* --repo ${{ github.repository }}
+        run: |
+          gh release upload ${{ github.ref_name }} --repo ${{ github.repository }} \
+            ./dist/* \
+            ./hashes/* \
+            ./${{ needs.slsa.outputs.provenance-name }}/* \
+            ./signing-artifacts-sigstore/*.sigstore
 
   pypi:
     name: Publish to PyPi

diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "poetry.core.masonry.api"
 
 [tool.poetry]
 name = "pywemo-esev"
-version = "0.9.1rc13"
+version = "0.9.1rc14"
 description = "Lightweight Python module to discover and control WeMo devices"
 authors = ["Eric Severance <[email protected]>"]
 license = "MIT"

diff --git a/scripts/build.sh b/scripts/build.sh
@@ -69,7 +69,6 @@ poetry build
 if [[ ! -z "${OUTPUT_ENV_VAR:-}" ]]; then
   echo
   echo "===Generating output variables for CI==="
-  echo "hashes=$(cd dist && set +f && sha256sum * | base64 -w0)" | tee -a "${!OUTPUT_ENV_VAR}"
   echo "version=$(poetry version -s)" | tee -a "${!OUTPUT_ENV_VAR}"
   echo "coverage-lcov=$(coverage debug config | sed -ne 's/^.*lcov_output: \(.*\)$/\1/p')" | tee -a "${!OUTPUT_ENV_VAR}"
 fi