Add Node.js setup to SLSA generic generator workflow

[Apostles1]

Added Node.js setup step with configurable options.

[中文版模板 / Chinese template]

🤔 This is a ...

• [ x] New feature
• Bug fix
• [ x] TypeScript definition update
• [ x] Bundle size optimization
• Performance optimization
• [ x] Enhancement feature
• Refactoring
• Update dependency
• Code style optimization
• Test Case
• Branch merge
• Site / documentation update
• Demo update
• Workflow
• [ x] Release
• Other (about what?)

🔗 Related issue link

🐞 Bugserver case id

💡 Background and solution

📝 Changelog

Language	Changelog
🇺🇸 English
🇨🇳 Chinese

☑️ Self-Check before Merge

⚠️ Please check all items below before requesting a reviewing. ⚠️

• Doc is updated/provided or not needed
• Demo is updated/provided or not needed
• TypeScript definition is updated/provided or not needed
• Changelog is provided or not needed

---

🚀 Summary

copilot:summary

🔍 Walkthrough

copilot:walkthrough

[Apostles1]

node.js

[Copilot]

Pull request overview

Adds a GitHub Actions workflow intended to generate and publish SLSA3 provenance, with an attempted addition of a Node.js setup step.

Changes:

• Introduces a new “SLSA generic generator” workflow to build artifacts and generate provenance.
• Attempts to add Node.js environment setup with configurable options.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The workflow YAML is invalid: the on: key is immediately followed by a step definition (- name: Setup Node.js environment). Move the Node setup step under jobs.<job>.steps, and restore on: to a proper mapping (e.g., workflow_dispatch: and release:).

[Copilot]

actions/setup-node is configured with placeholder inputs (e.g., node-version: with no value). The action requires a Node version (or node-version-file), so this will fail at runtime once the step is placed under steps. Provide a concrete default (matching the repo’s Node version) and/or wire these values via workflow_dispatch inputs.

Suggested change

	on: - name: Setup Node.js environment
	uses: actions/setup-node@v6.2.0
	with:
	# Version Spec of the version to use. Examples: 12.x, 10.15.1, >=10.15.0.
	node-version: # optional
	# File containing the version Spec of the version to use. Examples: package.json, .nvmrc, .node-version, .tool-versions.
	node-version-file: # optional
	# Target architecture for Node to use. Examples: x86, x64. Will use system architecture by default.
	architecture: # optional
	# Set this option if you want the action to check for the latest available version that satisfies the version spec.
	check-latest: # optional
	# Optional registry to set up for auth. Will set the registry in a project level .npmrc and .yarnrc file, and set up auth to read in from env.NODE_AUTH_TOKEN.
	registry-url: # optional
	# Optional scope for authenticating against scoped registries. Will fall back to the repository owner when using the GitHub Packages registry (https://npm.pkg.github.com/).
	scope: # optional
	# Used to pull node distributions from node-versions. Since there's a default, this is typically not supplied by the user. When running this action on github.com, the default value is sufficient. When running on GHES, you can pass a personal access token for github.com if you are experiencing rate limiting.
	token: # optional, default is ${{ github.server_url == 'https://github.com' && github.token || '' }}
	# Used to specify a package manager for caching in the default directory. Supported values: npm, yarn, pnpm.
	cache: # optional
	# Set to false to disable automatic caching. By default, caching is enabled when either devEngines.packageManager or the top-level packageManager field in package.json specifies npm as the package manager.
	package-manager-cache: # optional, default is true
	# Used to specify the path to a dependency file: package-lock.json, yarn.lock, etc. Supports wildcards or a list of file names for caching multiple dependencies.
	cache-dependency-path: # optional
	# Used to specify an alternative mirror to download Node.js binaries from
	mirror: # optional
	# The token used as Authorization header when fetching from the mirror
	mirror-token: # optional
	on:

[Copilot]

The build job output is wired to steps.hash.outputs.digests, but the hash step writes hashes=... to $GITHUB_OUTPUT. As written, needs.build.outputs.digests will be empty and provenance generation will fail. Align the output key names (either emit digests= or update the references to use hashes).

[Copilot]

base64-subjects is set to ${{ needs.build.outputs.digests }}, but the build job currently doesn't actually produce a digests output due to the output key mismatch. Once the build output key is fixed, ensure this input references the corrected output name.

[xile611]

Hi @Apostles1, thanks for the contribution! 🙏

I've reviewed this PR and noticed there are a few issues flagged in the review comments that would need to be addressed before we can move forward:

1. Invalid YAML structure — The on: key is malformed; the Node.js setup step needs to be moved under jobs.<job>.steps, and on: should be restored to a proper event mapping.
2. Placeholder inputs in actions/setup-node — The node-version and other parameters are currently empty. Please provide concrete values (this repo requires Node.js >=20.10.0).
3. Output key mismatch — The hash step writes hashes=... to $GITHUB_OUTPUT, but the job output references steps.hash.outputs.digests. These need to be aligned.
4. Downstream reference — base64-subjects in the provenance job depends on the corrected output name as well.

Could you please take a look and fix these issues? Once they are resolved, I'd be happy to consider merging this PR.

Thanks again for your time and effort