example-publish.yaml

name: Create a provenance from marketplace

on:
  workflow_dispatch:

jobs:
  build:
    name: Build artifact
    runs-on: ubuntu-latest
    steps:
      # traditionally you would build your code here and generate an artifact
      - name: Create artifact
        run:  echo "onion, tomato, jalapeno, cilantro, lime, salt" > salsa.txt

      - name: Upload artifact
        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # ratchet:actions/upload-artifact@v4.6.1
        with:
          path: salsa.txt

  generate-provenance:
    needs: build
    name: Generate build provenance
    runs-on: ubuntu-latest
    steps:
      - name: Download build artifact
        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # ratchet:actions/download-artifact@v4.1.9
      - name: Generate provenance
        uses: philips-labs/slsa-provenance-action@6b2fd198d38ba72fb3cc08fbc52da2ebaef2efad # ratchet:philips-labs/slsa-provenance-action@v0.9.0
        with:
          command: generate
          subcommand: files
          arguments: --artifact-path artifact/ --output-path provenance.json

      - name: Upload provenance
        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # ratchet:actions/upload-artifact@v4.6.1
        with:
          path: provenance.json