From 416cb6a227c52d87e648de353f56c6a852f68e53 Mon Sep 17 00:00:00 2001
From: Hayden B <hblauzvern@google.com>
Date: Fri, 5 Jan 2024 11:10:33 -0800
Subject: [PATCH] Use built-in feature to upload provenance to existing tag
 (#586)

This was failing because we upgraded to a new version of download-action
while the reusable workflow uses a previous incompatible version of
upload-action.

Signed-off-by: Hayden Blauzvern <hblauzvern@google.com>
---
 .github/workflows/release.yaml | 27 +++++++--------------------
 1 file changed, 7 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index f882c6b7..43ad8b27 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -18,6 +18,7 @@ jobs:
     runs-on: ubuntu-latest
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
+      tag_name: ${{ steps.tag.outputs.tag_name }}
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
@@ -55,6 +56,10 @@ jobs:
           set -euo pipefail
           checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
           echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
+      
+      - name: Set tag output
+        id: tag
+        run: echo "tag_name=${GITHUB_REF#refs/*/}" >> "$GITHUB_OUTPUT"
 
   provenance:
     needs: [release]
@@ -65,23 +70,5 @@ jobs:
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
     with:
       base64-subjects: "${{ needs.release.outputs.hashes }}"
-      upload-assets: false # do not upload to a new release since goreleaser creates it
-
-  release-provenance:
-    needs: [provenance]
-    runs-on: ubuntu-latest
-    permissions:
-      actions: read # To read the workflow path.
-      contents: write # To add assets to a release.
-    steps:
-      - name: Download the provenance
-        uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4.1.0
-        with:
-          name: ${{needs.provenance.outputs.provenance-name}}
-
-      - name: Release Provenance
-        uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
-        id: release-provenance
-        with:
-          draft: true
-          files: ${{needs.provenance.outputs.provenance-name}}
+      upload-assets: true
+      upload-tag-name: "${{ needs.release.outputs.tag_name }}" # Upload to tag rather than generate a new release