copypaste workflow for debugging

jalseth · jalseth · commit 939ceb10c2dd · 2025-11-23T13:19:08.000-08:00
diff --git a/.github/workflows/integrate.yaml b/.github/workflows/integrate.yaml
@@ -14,15 +14,21 @@ jobs:
       contents: 'write' # Needs write access for upload-artifact.
     outputs:
       checksums-handle: '${{ steps.checksum-handle.outputs.handle }}'
-      sbom-handle: '${{ steps.sbom-handle.outputs.handle }}'
-      version: '${{ steps.version.outputs.version }}'
     env:
-      SBOM_FILE_NAME: 'cyclonedx_bom.json'
+      CHECKSUMS_FILE_NAME: 'checksums.txt'
     steps:
       - name: 'checkout'
         uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
         with:
           fetch-depth: 0 # So that goreleaser can determine the base version.
+      - name: setup go
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # ratchet:actions/setup-go@v6
+        with:
+          go-version: "1.25.x"
+      - name: 'setup cyclonedx-gomod'
+        uses: 'CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f' # ratchet:CycloneDX/gh-gomod-generate-sbom@v2
+        with:
+          version: 'v1'
       - name: 'build'
         id: 'goreleaser'
         uses: 'goreleaser/goreleaser-action@e435ccd777264be153ace6237001ef4d979d3a7a' # ratchet:goreleaser/goreleaser-action@v6
@@ -45,26 +51,14 @@ jobs:
           name: 'conftest_${{ steps.version.outputs.version }}'
           path: 'dist/*.*'
           retention-days: 30
-      - name: 'generate sbom'
-        uses: 'CycloneDX/gh-gomod-generate-sbom@efc74245d6802c8cefd925620515442756c70d8f' # ratchet:CycloneDX/gh-gomod-generate-sbom@v2
-        with:
-          version: 'v1'
-          args: >-
-            mod
-            -licenses
-            -json
-            -verbose
-            -output ${{ env.SBOM_FILE_NAME }}
+      - name: 'base64 checksum for provenance input'
+        shell: 'bash'
+        run: 'base64 -w0 "dist/${CHECKSUMS_FILE_NAME}" > "${CHECKSUMS_FILE_NAME}"'
       - name: 'get checksums handle'
         id: 'checksum-handle'
         uses: 'slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.1.0' # ratchet:exclude
         with:
-          path: 'dist/checksums.txt'
-      - name: 'get sbom handle'
-        id: 'sbom-handle'
-        uses: 'slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.1.0' # ratchet:exclude
-        with:
-          path: '${{ env.SBOM_FILE_NAME }}'
+          path: '${{ env.CHECKSUMS_FILE_NAME }}'
 
   binary-provenance:
     needs: ['goreleaser']
@@ -77,17 +71,6 @@ jobs:
       base64-subjects-as-file: '${{ needs.goreleaser.outputs.checksums-handle }}'
       upload-assets: false
 
-  sbom-provenance:
-    needs: ['goreleaser']
-    permissions:
-      contents: 'write' # Needs write access for upload-artifact even when upload-assets is false.
-      actions: 'read' # To read the workflow path.
-      id-token: 'write' # To sign the provenance.
-    uses: 'slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0' # ratchet:exclude
-    with:
-      base64-subjects-as-file: '${{ needs.goreleaser.outputs.sbom-handle }}'
-      upload-assets: false
-
   # docker:
   #   runs-on: 'ubuntu-latest'
   #   permissions:
diff --git a/.goreleaser.yml b/.goreleaser.yml
@@ -2,7 +2,12 @@ version: 1
 
 before:
   hooks:
-  - go mod download
+  - 'go mod download'
+  - >-
+    cyclonedx-gomod mod
+    -licenses
+    -json
+    -output cyclonedx_bom.json
 
 builds:
 - main: ./main.go
@@ -40,6 +45,7 @@ archives:
   files:
       - LICENSE
       - README.md
+      - cyclonedx_bom.json
       - plugin/*.sh
 
 checksum:
