Create generator-generic-ossf-slsa3-publish.yml

[Kelleretoro]

No description provided.

[Copilot]

Pull request overview

This PR adds a new GitHub Actions workflow for generating SLSA (Supply-chain Levels for Software Artifacts) provenance attestations at level 3. The workflow generates cryptographic hashes of build artifacts and creates a signed provenance file using the SLSA framework's generic generator.

Key changes:

• Adds SLSA provenance generation workflow triggered on releases and manual dispatch
• Implements a two-job pipeline: artifact building and provenance generation
• Uses SLSA framework v1.4.0 for generating and uploading attestations

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The output references 'digests' but the hash step (line 55) sets 'hashes' instead. Change 'digests' to 'hashes' to match the actual output variable name.

[Copilot]

Using 'ls' with glob patterns can fail if no files match and is not recommended in scripts. Use a shell glob directly or 'find' instead: 'files=(artifact*)' or quote the expansion when used.

Suggested change

	files=$(ls artifact*)
	# Generate the subjects (base64 encoded).
	echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
	files=(artifact*)
	# Generate the subjects (base64 encoded).
	echo "hashes=$(sha256sum "${files[@]}" | base64 -w0)" >> "${GITHUB_OUTPUT}"

[Copilot]

The output variable is named 'hashes' but line 23 and line 65 reference it as 'digests'. Either rename this to 'digests' for consistency, or update lines 23 and 65 to use 'hashes'.

Suggested change

	echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
	echo "digests=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"