remove slsa provenance (#501)

davidism · web-flow · commit aafe44d87bd7 · 2025-06-14T13:10:28.000-07:00
diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml
@@ -15,8 +15,6 @@ on:
 jobs:
   sdist:
     runs-on: ubuntu-latest
-    outputs:
-      hash: ${{ steps.hash.outputs.hash }}
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -70,37 +68,8 @@ jobs:
         with:
           name: build-wheels-${{ matrix.os }}
           path: ./wheelhouse
-  hash:
-    # Generate hashes for the sdist and wheels, used later for provenance.
-    needs: [sdist, wheels]
-    runs-on: ubuntu-latest
-    outputs:
-      hash: ${{ steps.hash.outputs.hash }}
-    steps:
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          path: dist
-          pattern: build-*
-          merge-multiple: true
-      - name: generate hash
-        id: hash
-        run: cd dist && echo "hash=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
-  provenance:
-    needs: [hash]
-    permissions:
-      actions: read
-      id-token: write
-      contents: write
-    # Can't pin with hash due to how this workflow works.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
-    with:
-      base64-subjects: ${{ needs.hash.outputs.hash }}
-      # When building more wheels, use the Python version as the provenance file name.
-      provenance-name: ${{ inputs.python && format('{0}.intoto.jsonl', inputs.python) || null }}
   create-release:
-    # Upload the sdist, wheels, and provenance to a GitHub release. They remain
-    # available as build artifacts for a while as well.
-    needs: [provenance]
+    needs: [sdist, wheels]
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -110,29 +79,24 @@ jobs:
           path: dist
           pattern: build-*
           merge-multiple: true
-      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
-        with:
-          pattern: '*.intoto.jsonl'
       # When building a new tag, create a new draft release.
       - if: github.event_name == 'push'
         name: create release
         run: >
           gh release create --draft --repo ${{ github.repository }}
-          ${{ inputs.tag || github.ref_name }}
-          *.intoto.jsonl/* dist/*
+          ${{ inputs.tag || github.ref_name }} dist/*
         env:
           GH_TOKEN: ${{ github.token }}
       # When running manually, update the existing release with more files.
       - if: github.event_name == 'workflow_dispatch'
         name: update release
         run: >
           gh release upload --repo ${{ github.repository }}
-          ${{ inputs.tag || github.ref_name }}
-          *.intoto.jsonl/* dist/*
+          ${{ inputs.tag || github.ref_name }} dist/*
         env:
           GH_TOKEN: ${{ github.token }}
   publish-pypi:
-    needs: [provenance]
+    needs: [sdist, wheels]
     # Wait for approval before attempting to upload to PyPI. This allows reviewing the
     # files in the draft release.
     environment:
