docs: add section for verify-github-attestation#858
docs: add section for verify-github-attestation#858ramonpetgrave64 merged 1 commit intoslsa-framework:mainfrom
Conversation
|
|
||
| Attestations produced by [attest-build-provenance](https://github.com/actions/attest-build-provenance) | ||
|
|
||
| Currently limited to artifacts built with the following builder-ids: |
There was a problem hiding this comment.
The documentation header makes this sound like this verifier supports all GitHub artifact attestations whereas we only support these hardcoded builder IDs. Is there anything we can add to make this more clear? References for how to onboard additional builder IDs?
There was a problem hiding this comment.
I'll update this.
I think this a bit of design quirk with slsa-verifier. Its kind of a convoluted code path but I think some further work here should allow any artifact attestation as long as you use the builder-id on the command line.
There was a problem hiding this comment.
This README doesn't really dive into how to "add" anything in any other section, so I'm going to leave it out.
8e4ad4e to
e519a38
Compare
Followup to #840 Resolves #849 Removes the experimental flag for verifying bazel attestations. TODO: - [ ] add example invocation for bazel #858 (review) - [ ] create a new release --------- Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
|
ignore those codeql failures, they're because I accidently pushed a branch to this repo instead of the loosebazooka/slsa-verifier repo |
Signed-off-by: Appu Goundan <appu@google.com>
e519a38 to
543a19e
Compare
|
I think we merge post release? |
Merge before release, so pkg.go.dev docs can be updated. |
Readme update for #850