add slsa verifier installer action#969
add slsa verifier installer action#969mchmarny wants to merge 6 commits intoko-build:mainfrom mchmarny:mchmarny-slsa-verfier-action
Conversation
Codecov Report
❗ Your organization is not using the GitHub App Integration. As a result you may experience degraded service beginning May 15th. Please install the Github App Integration for your organization. Read more. @@ Coverage Diff @@
## main #969 +/- ##
==========================================
+ Coverage 52.50% 52.82% +0.32%
==========================================
Files 43 43
Lines 3331 3360 +29
==========================================
+ Hits 1749 1775 +26
- Misses 1353 1359 +6
+ Partials 229 226 -3 |
updates slsa verifier parameters
.github/workflows/release.yml
Outdated
| needs: [goreleaser, provenance] | ||
| runs-on: ubuntu-latest | ||
| env: | ||
| ATT_FILE_NAME: "attestation.intoto.jsonl" |
There was a problem hiding this comment.
is this attestation.intoto or multiple?
There was a problem hiding this comment.
I'm not sure if multiples are fully supported yet but it works for me with the latest version here. In that case, the attestation file generated by SLSA Generator using goreleaser was multiple.intoto.jsonl
There was a problem hiding this comment.
here is the PR that fixes this problem: https://github.com/ko-build/ko/pull/983/files
you may rebase from main
.github/workflows/release.yml
Outdated
|
|
||
| runs-on: ubuntu-latest | ||
| env: | ||
| ATT_FILE_NAME: "attestation.intoto.jsonl" |
There was a problem hiding this comment.
we don't need this anymore, you can remove this since you have the PROVENANCE variable where you verify it.
|
can you bump the version of the slsa-verifier-installer to 2.3.0 @mchmarny? |
|
Done, updated to v2.3.0 |
|
This Pull Request is stale because it has been open for 90 days with |
|
@imjasonh we can merge this one. |
|
This Pull Request is stale because it has been open for 90 days with |
Replaces manual SLSA verifier download with the installer action