name: publish (slsa 3)
on:
  workflow_dispatch:
  release:
    types: [created]

jobs:
  build:
    runs-on: ubuntu-latest
    outputs:
      hashes: ${{ steps.hash.outputs.hashes }}

    steps:
      - name: checkout
        uses: actions/checkout@v3

      - name: install devbox  
        uses: jetpack-io/devbox-install-action@v0.3.0

      - name: install dependencies
        run: devbox run poetry install

      - name: install dependencies
        id: build
        run: devbox run poetry build

      - name: generate provenance subjects
        id: hash
        run: |
          cd dist
          HASHES=$(sha256sum * | base64 -w0)
          echo "hashes=$HASHES" >> "$GITHUB_OUTPUT"

  provenance:
    needs: [build]
    permissions:
      actions: read
      id-token: write
      contents: write
    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.6.0
    with:
      base64-subjects: "${{ needs.build.outputs.hashes }}"
      upload-assets: true