ci: switch from subject-checksums to subject-path for attestation

Author: keelerm84

.github/actions/build/action.yml

@@ -1,19 +1,9 @@
 name: Build distribution files
 description: 'Build distribution files'
-outputs:
-  package-hashes:
-    description: "base64-encoded sha256 hashes of distribution files"
-    value: ${{ steps.package-hashes.outputs.package-hashes }}
 
 runs:
   using: composite
   steps:
     - name: Build distribution files
       shell: bash
       run: poetry build
-    - name: Hash build files for provenance 
-      id: package-hashes
-      shell: bash 
-      working-directory: ./dist
-      run: |
-        echo "package-hashes=$(sha256sum * | base64 -w0)" >> "$GITHUB_OUTPUT"

.github/workflows/manual-publish.yml

@@ -19,8 +19,6 @@ jobs:
       id-token: write
       contents: read
       attestations: write # Needed for artifact attestations
-    outputs:
-      package-hashes: ${{ steps.build.outputs.package-hashes}}
     steps:
       - uses: actions/checkout@v4
 
@@ -46,15 +44,8 @@ jobs:
         with:
           password: ${{env.PYPI_AUTH_TOKEN}}
 
-      - name: Generate checksums file
-        if: ${{ !inputs.dry_run }}
-        env:
-          HASHES: ${{ steps.build.outputs.package-hashes }}
-        run: |
-          echo "$HASHES" | base64 -d > checksums.txt
-
       - name: Attest build provenance
         if: ${{ !inputs.dry_run }}
         uses: actions/attest@v4
         with:
-          subject-checksums: checksums.txt
+          subject-path: 'dist/*'

.github/workflows/release-please.yml

@@ -15,7 +15,6 @@ jobs:
     outputs:
       release-created: ${{ steps.release.outputs.release_created }}
       upload-tag-name: ${{ steps.release.outputs.tag_name }}
-      package-hashes: ${{ steps.build.outputs.package-hashes}}
     steps:
       - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
         id: release
@@ -54,15 +53,8 @@ jobs:
         with:
           password: ${{env.PYPI_AUTH_TOKEN}}
 
-      - name: Generate checksums file
-        if: ${{ steps.release.outputs.releases_created == 'true' }}
-        env:
-          HASHES: ${{ steps.build.outputs.package-hashes }}
-        run: |
-          echo "$HASHES" | base64 -d > checksums.txt
-
       - name: Attest build provenance
         if: ${{ steps.release.outputs.releases_created == 'true' }}
         uses: actions/attest@v4
         with:
-          subject-checksums: checksums.txt
+          subject-path: 'dist/*'