fix: Prevent SLSA generator from creating separate release

backnotprop · claude · backnotprop · commit b294b0192f37 · 2025-11-04T14:49:07.000-08:00
The slsa-github-generator with upload-assets: true was creating its own published release, leaving build assets in a draft release. This caused the finalize job to fail with 'tag_name already_exists'. **Changes**: - Remove upload-assets and upload-tag-name from provenance job - Add new upload-provenance job that downloads artifact and uploads to draft - Update checksums and finalize job dependencies **Root cause**: The generator creates a new release when upload-assets is true, instead of using the existing draft created by create-release job. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -373,13 +373,33 @@ jobs:
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
     with:
       base64-subjects: ${{ needs.combine-hashes.outputs.hashes }}
-      upload-assets: true
-      upload-tag-name: ${{ needs.create-release.outputs.version }}
+
+  # Upload provenance to release
+  upload-provenance:
+    name: Upload Provenance to Release
+    needs: [create-release, provenance]
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download provenance
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ needs.provenance.outputs.provenance-name }}
+          path: .
+
+      - name: Upload provenance to release
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        with:
+          upload_url: ${{ needs.create-release.outputs.upload_url }}
+          asset_path: ${{ needs.provenance.outputs.provenance-name }}
+          asset_name: ${{ needs.provenance.outputs.provenance-name }}
+          asset_content_type: application/json
 
   # Generate combined checksums file
   checksums:
     name: Generate Combined Checksums
-    needs: [create-release, build, provenance]
+    needs: [create-release, build, upload-provenance]
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
@@ -419,7 +439,7 @@ jobs:
   # Finalize the release
   finalize:
     name: Finalize Release
-    needs: [create-release, build, checksums, provenance]
+    needs: [create-release, build, checksums, upload-provenance]
     runs-on: ubuntu-latest
     steps:
       - name: Publish Release
