OpenFGA MCP

name: "Security: SLSA Provenance" on: release: types: [published] workflow_dispatch: inputs: tag: description: "Release tag to generate provenance for" required: true type: string permissions: contents: read jobs: build: name: "Build Package" runs-on: ubuntu-latest outputs: digests: ${{ steps.hash.outputs.digests }} steps: - name: Harden the runner (Audit all outbound calls) uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0 with: egress-policy: audit - name: Checkout code uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: ref: ${{ github.event.release.tag_name || inputs.tag }} - name: Setup PHP uses: shivammathur/setup-php@ec406be512d7077f68eed36e63f4d91bc006edc4 # 2.35.4 with: php-version: "8.3" tools: composer - name: Install dependencies run: composer install --no-dev --optimize-autoloader - name: Create release artifacts run: | # Create a reproducible build archive mkdir -p /tmp/artifacts tar --sort=name \ --mtime="@${SOURCE_DATE_EPOCH:-$(git log -1 --pretty=%ct)}" \ --owner=0 --group=0 --numeric-owner \ -czf /tmp/artifacts/openfga-mcp-${{ github.event.release.tag_name || inputs.tag }}.tar.gz \ --exclude='.git*' \ --exclude='tests' \ --exclude='*.test' \ --exclude='.github' \ . mv /tmp/artifacts/*.tar.gz . - name: Generate artifact hashes id: hash run: | set -euo pipefail # Debug: Show files echo "Files in directory:" ls -la openfga-mcp-*.tar.gz # Generate and show hash HASH=$(sha256sum openfga-mcp-*.tar.gz) echo "Generated hash: $HASH" # Base64 encode DIGEST=$(echo "$HASH" | base64 -w0) echo "Base64 digest: $DIGEST" # Set output echo "digests=$DIGEST" >> "$GITHUB_OUTPUT" - name: Upload artifacts uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: name: release-artifacts path: openfga-mcp-*.tar.gz if-no-files-found: error retention-days: 5 provenance: name: "Generate Package Provenance" needs: [build] permissions: actions: read id-token: write contents: write uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0 with: base64-subjects: "${{ needs.build.outputs.digests }}" upload-assets: false compile-generator: true # Note: Verification is currently not possible due to incompatibility between # SLSA generator v2.1.0 (which uses DSSE format) and the verifier # which expects intoto format. The provenance is still generated # correctly and contains all required information. upload-provenance: name: "Upload Provenance to Release" needs: [build, provenance] runs-on: ubuntu-latest if: ${{ always() && needs.provenance.result == 'success' }} permissions: contents: write steps: - name: Download release artifacts uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: release-artifacts - name: Download provenance uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 with: name: ${{ needs.provenance.outputs.provenance-name }} - name: Upload artifacts and provenance to release env: GH_TOKEN: ${{ github.token }} run: | TAG="${{ github.event.release.tag_name || inputs.tag }}" echo "Uploading artifacts to release $TAG" # Find all files to upload FILES=$(find . -name "*.tar.gz" -o -name "*.intoto.jsonl" | tr '\n' ' ') if [ -z "$FILES" ]; then echo "Error: No files found to upload" exit 1 fi echo "Found files to upload: $FILES" # Upload to the existing release gh release upload "$TAG" $FILES \ --repo "${{ github.repository }}" \ --clobber