Skip to content

fix: use tag for the builder in the release workflow#788

Merged
ramonpetgrave64 merged 1 commit intomainfrom
ramonpetgrave64-fix-builder-tag
Jul 11, 2024
Merged

fix: use tag for the builder in the release workflow#788
ramonpetgrave64 merged 1 commit intomainfrom
ramonpetgrave64-fix-builder-tag

Conversation

@ramonpetgrave64
Copy link
Copy Markdown
Contributor

@ramonpetgrave64 ramonpetgrave64 commented Jul 11, 2024

The slsa-github-generator's workflow ref needs to be pinned by tag, not by hash.

Fixes this error

Verifying slsa-verifier-linux-arm64 using slsa-verifier-linux-arm64.intoto.jsonl
Verified signature against tlog entry index 110869188 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77aa9a66ae8969e055f85c9ec9e0ebbe52e4947cd33cf7b84af120088fe641b8e84
Verifying artifact slsa-verifier-linux-arm64: FAILED: invalid ref: "c747fe7769adf3656dc7d588b161cb614d7abfee": unexpected ref type: ""

FAILED: SLSA verification failed: invalid ref: "c747fe7769adf3656dc7d588b161cb614d7abfee": unexpected ref type: ""

@ramonpetgrave64
fix: use tag for builder
153d639 
The slsa-github-generator's workflow ref needs to be pinned by tag, not by hash.

Fixes this error

 - https://github.com/slsa-framework/slsa-verifier/actions/runs/9893912259/job/27330429383#step:4:17

```
Verifying slsa-verifier-linux-arm64 using slsa-verifier-linux-arm64.intoto.jsonl
Verified signature against tlog entry index 110869188 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77aa9a66ae8969e055f85c9ec9e0ebbe52e4947cd33cf7b84af120088fe641b8e84
Verifying artifact slsa-verifier-linux-arm64: FAILED: invalid ref: "c747fe7769adf3656dc7d588b161cb614d7abfee": unexpected ref type: ""

FAILED: SLSA verification failed: invalid ref: "c747fe7769adf3656dc7d588b161cb614d7abfee": unexpected ref type: ""
```

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
@ramonpetgrave64
Copy link
Copy Markdown
Contributor Author

ramonpetgrave64 commented Jul 11, 2024

@laurentsimon @ianlewis

@ramonpetgrave64 ramonpetgrave64 changed the title fix: use tag for builder fix: use tag for the builder in the release workflow Jul 11, 2024
@ramonpetgrave64 ramonpetgrave64 merged commit 3714a2a into main Jul 11, 2024
@ramonpetgrave64
Copy link
Copy Markdown
Contributor Author

ramonpetgrave64 commented Jul 11, 2024

Fixed now

Verifying slsa-verifier-linux-amd64 using slsa-verifier-linux-amd64.intoto.jsonl
Verified signature against tlog entry index 110903631 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77ae751a25ad3be26f7bbcf198364c2969a6b789de0abae1a4370ceb7a61b23588d
Verified build using builder "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@refs/tags/v2.0.0" at commit 3714a2a4684014deb874a0e737dffa0ee02dd647
Verifying artifact slsa-verifier-linux-amd64: PASSED

PASSED: Verified SLSA provenance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@laurentsimon laurentsimon laurentsimon approved these changes

@kpk47 kpk47 Awaiting requested review from kpk47

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ramonpetgrave64 @laurentsimon