Add provenance instruction for Bazel based builds. (slsa-framework#556)

Based on the
[example-package](https://github.com/slsa-framework/example-package)
example workflows, reduced to the instructions that are needed to build
and generate provenance.

Included 2 artifacts in the example, for the scenarios where multiple
artifacts are built in the same job.

Signed-off-by: Mihai Maruseac <[email protected]>

Author: mihaimaruseac

internal/builders/generic/README.md

@@ -26,6 +26,7 @@ project simply generates provenance as a separate step in an existing workflow.
   - [Provenance Example](#provenance-example)
 - [Integration With Other Build Systems](#integration-with-other-build-systems)
   - [Provenance for GoReleaser](#provenance-for-goreleaser)
+  - [Provenance for Bazel](#provenance-for-bazel)
 
 ---
 
@@ -341,3 +342,82 @@ jobs:
       base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
       upload-assets: true # upload to a new release
 ```
+
+### Provenance for Bazel
+
+If you use [Bazel](https://bazel.build/) to generate your artifacts, you can
+easily generate SLSA3 provenance by updating your existing workflow with the 4
+steps indicated in the workflow below:
+
+```yaml
+jobs:
+  build:
+    # ==================================================
+    #
+    # Step 1: Declare an `outputs` for the hashes.
+    #
+    # ==================================================
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+
+    [...]
+
+    steps:
+      [...]
+      - name: Build using bazel
+        # =================================================
+        #
+        # Step 2: Add an `id: bazel-build` field
+        #         to your goreleaser step.
+        #
+        # =================================================
+        id: build
+        run: |
+          # Your normal build workflow targets here
+          bazel build //path/to/target_binary //path/to_another/binary
+          # ======================================================
+          #
+          # Step 3: Copy the binaries from `bazel-bin` path (i.e.,
+          #         Bazel sandbox) to the root of the repository
+          #         for easier reference (this makes it easier to
+          #         upload these to the release too!).
+          #
+          # =====================================================
+          cp bazel-bin/path/to/target_binary .
+          cp bazel-bin/path/to/another/binary .
+
+
+      # ========================================================
+      #
+      # Step 4: Add a step to generate the provenance subjects
+      #         as shown below. Update the sha256 sum arguments
+      #         to include all binaries that you generate
+      #         provenance for.
+      #
+      # ========================================================
+      - name: Generate subject
+        id: hash
+        run: |
+          set -euo pipefail
+
+          sha256sum target_binary binary > checksums
+
+          echo "::set-output name=hashes::$(cat checksums | base64 -w0)"
+
+  # =========================================================
+  #
+  # Step 5: Call the generic workflow to generate provenance
+  #         by declaring the job below.
+  #
+  # =========================================================
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read
+      id-token: write
+      contents: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: true # upload to a new release
+```