Enhance SLSA provenance generation: add file hash generation and separate job for provenance

.github/workflows/release.yml

@@ -19,6 +19,8 @@ permissions:
 jobs:
   build-and-sign-release:
     runs-on: ubuntu-latest
+    outputs:
+      digests: ${{ steps.hash.outputs.digests }}
     steps:
       - name: Checkout code
         uses: actions/checkout@v4
@@ -45,6 +47,25 @@ jobs:
         run: |
           uv build
 
+      - name: Generate file hashes for SLSA
+        shell: bash
+        id: hash
+        run: |
+          set -euo pipefail
+
+          # Generate SHA256 digests for all built artifacts
+          (
+            cd dist/
+            for file in *; do
+              if [ -f "$file" ]; then
+                echo "$file:$(sha256sum "$file" | head -c 64)"
+              fi
+            done
+          ) > checksums
+
+          # Create base64-encoded subjects for SLSA
+          echo "digests=$(cat checksums | base64 -w0)" >> "$GITHUB_OUTPUT"
+
       - name: Install cosign
         uses: sigstore/cosign-installer@v3
         with:
@@ -121,12 +142,6 @@ jobs:
             fi
           done
 
-      - name: Generate SLSA provenance
-        uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
-        with:
-          base64-subjects: |
-            ${{ hashFiles('dist/*') }}
-
       - name: Update release with security information
         run: |
           # Create a security attestation file
@@ -207,4 +222,16 @@ jobs:
               cosign sign-blob --bundle "${file}.sig" "$file"
               echo "Signed $file"
             fi
-          done
+          done
+
+  # Generate SLSA provenance as a separate job
+  provenance:
+    needs: [build-and-sign-release]
+    permissions:
+      actions: read   # To read the workflow path
+      id-token: write # To sign the provenance
+      contents: write # To add assets to a release
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
+    with:
+      base64-subjects: "${{ needs.build-and-sign-release.outputs.digests }}"
+      upload-assets: true # upload to a new release