@@ -56,7 +56,7 @@ outputs:
5656
5757 package-sha256 :
5858 description : " The sha256 digest of the package file."
59- value : ${{ steps.sha .outputs.sha256 }}
59+ value : ${{ steps.upload .outputs.sha256 }}
6060
6161runs :
6262 using : " composite"
@@ -74,36 +74,24 @@ runs:
7474 # NOTE: cache-dependency-path needs to be validated to be a subdirectory of GITHUB_WORKSPACE.
7575 # cache-dependency-path:
7676
77- # NOTE: the default npm lists incorrect filenames in the output of 'npm pack --json'. This is fixed in later versions.
78- - id : update-npm
79- shell : bash
80- run : |
81- npm install -g npm@9.5.0
82-
8377 - id : build
8478 env :
8579 UNTRUSTED_DIRECTORY : ${{ fromJson(inputs.slsa-workflow-inputs).directory }}
8680 UNTRUSTED_RUN_SCRIPTS : ${{ fromJson(inputs.slsa-workflow-inputs).run-scripts }}
8781 shell : bash
8882 run : ./../__TOOL_ACTION_DIR__/build.sh
8983
90- - id : sha
91- uses : slsa-framework/slsa-github-generator/.github/actions/compute-sha256@main
92- with :
93- path : ${{ steps.build.outputs.file-path }}
94-
9584 # rng generates a random number to avoid name collision in artifacts
9685 # when multiple workflows run concurrently.
9786 - name : Generate random 16-byte value (32-char hex encoded)
9887 id : rng
9988 uses : slsa-framework/slsa-github-generator/.github/actions/rng@main
10089
101- - uses : actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
90+ - uses : slsa-framework/slsa-github-generator/.github/actions/secure-upload-artifact@main
91+ id : upload
10292 with :
10393 name : " ${{ steps.rng.outputs.random }}-package.tgz"
10494 path : ${{ steps.build.outputs.file-path }}
105- if-no-files-found : error
106- retention-days : 5
10795
10896 # NOTE: Here we create a JSON file that describes the attestations we want
10997 # to create. Each attestation will be created as a separate file,
0 commit comments