slsa-framework / example-package Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
The readme: If there is no existing version for the $THIS_FILE, release creation will fail. This mean that when creating a new e2e workflow for a tag trigger, you need to manually create the first release and the notes must contain the $THIS_FILE
We need to automate this part. The release script can be smarter by taking a default version range and creating the first release.
It should also verify that each version range is unique to a workflow, ie there's no collision between them
We need to use personal access tokens for some actions in e2e tests. We should document what those actions are and what scopes the PAT needs to have, and how to create one.
Why do we need PAT?
github.token
does not trigger subsequent workflows: https://github.community/t/push-from-action-does-not-trigger-subsequent-action/16854What scopes do we need:
When cutting a release for main and when branch1 is at the same commit, the release trigger sometimes indicates that the release if for the branch1 instead of main. This makes workflows that expect main branch exit early and not run at all.
Here's an example https://github.com/slsa-framework/example-package/actions/runs/2476105727:
THIS_FILE: e2e.go.tag.main.config-ldflags-assets-version.slsa3.yml
mismatch branch: file contains refs/heads/main; GitHub env contains refs/heads/branch1
What's really strange is that we explicitly set the branch when creating the release https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e-create-release.sh#L51
slsa-framework/slsa-verifier#193
Currently, we exit early out of the verification when verifying annotated tags for less than version 1.3 OR HEAD
Fix, so we verify at HEAD
Since we can't block on lint errors we have some errors that are generated w/ the current code. We should fix those.
Stagger tests more to mitigate rate limit errors
Are any of them running?
See https://github.com/slsa-framework/example-package/actions/runs/3110439161
THIS_FILE: e2e.generic.workflow_dispatch.main.default.slsa3.yml
{
"message": "Resource not accessible by integration",
"documentation_url": "https://docs.github.com/rest/reference/actions#create-a-workflow-dispatch-event"
}
As we create more and more release, we may miss the latest release (we currently list 200 in the script). I don't know how the results are ordered when querying the API. If it's chronological, we're fine. But I've already seen some versions being missed, so I suspect it's not...
We may want to delete releases on a regular basis to clean them up, once #34 is resolved
slsa-framework/slsa-github-generator#1108
Similar to the other .github/workflows/verifier-e2e*
workflows.
I updated the Action by copying the old Action (https://github.com/slsa-framework/example-package/tree/main/.github/actions/tamper-artifact) into a new one (https://github.com/slsa-framework/example-package/tree/main/.github/actions/tamper-artifact-new). Once it all works, we can delete the old one and rename the new one.
FAILED: SLSA verification failed: v14.2.: invalid semantic version
โ 2 == 0 :: 14.2. versioned-tag vM.N.P (14.2.) should be correct
Error: Process completed with exit code 1.
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are awaiting their schedule. Click on a checkbox to get an update now.
actions/checkout
, actions/download-artifact
, actions/setup-go
, actions/setup-node
, actions/upload-artifact
, docker/build-push-action
, docker/login-action
, docker/setup-buildx-action
, golangci/golangci-lint-action
, google-github-actions/auth
, goreleaser/goreleaser-action
, sigstore/cosign-installer
)@actions/artifact
, @actions/http-client
, @octokit/action
)golangci/golangci-lint-action
, slsa-framework/example-trw
)Warning
Renovate failed to look up the following dependencies: Failed to look up maven package io.github.slsa-framework.slsa-github-generator:hash-maven-plugin
.
Files affected: e2e/maven/workflow_dispatch/pom.xml
Note
Detected dependencies section has been truncated
WORKSPACE
io_bazel_rules_go v0.45.1
.bazelversion
bazel 7.0.2
cloudbuild.yaml
Dockerfile
golang 1.21@sha256:d83472f1ab5712a6b2b816dc811e46155e844ddc02f5f5952e72c6deedafed77
gcr.io/distroless/static sha256:41972110a1c1a5c0b6adb283e8aa092c43c31f7c5d79b8656fbffff2c3e61f05
.github/workflows/e2e.container-based.push.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container-based.push.main.multi.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container-based.schedule.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container-based.schedule.main.gcp-workload-identity.slsa3.yml
google-github-actions/auth v2.1.0@5a50e581162a13f4baa8916d01180d2acbc04363
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
google-github-actions/auth v2.1.0@5a50e581162a13f4baa8916d01180d2acbc04363
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container-based.schedule.main.matrix.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container-based.schedule.main.registry-username-secret.yml
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container-based.schedule.main.registry-username.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container-based.tag.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml
slsa-framework/slsa-github-generator v2.0.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml
ramonpetgrave64/slsa-github-generator v2.0.0-rc.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container-based.workflow_dispatch.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container.push.branch1.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container.push.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container.schedule.main.continue-on-error.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container.schedule.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container.schedule.main.provenance-repository.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container.tag.branch1.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container.tag.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container.tag.main.gcp-workload-identity.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
google-github-actions/auth v2.1.0@5a50e581162a13f4baa8916d01180d2acbc04363
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
google-github-actions/auth v2.1.0@5a50e581162a13f4baa8916d01180d2acbc04363
sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container.tag.main.registry-username-secret.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container.workflow_dispatch.branch1.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
slsa-framework/slsa-github-generator v2.0.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
ramonpetgrave64/slsa-github-generator v2.0.0-rc.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container.workflow_dispatch.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046d
docker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.delegator-generic.create.main.checkout.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
slsa-framework/example-trw v1.11.0
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.delegator-generic.create.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
slsa-framework/example-trw v1.11.0
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.delegator-generic.push.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
slsa-framework/example-trw v1.11.0
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.delegator-generic.release.main.checkout.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
slsa-framework/example-trw v1.11.0
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.delegator-generic.release.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
slsa-framework/example-trw v1.11.0
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.delegator-generic.tag.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
slsa-framework/example-trw v1.11.0
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.delegator-generic.workflow_dispatch.branch1.checkout.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
slsa-framework/example-trw v1.11.0
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.delegator-generic.workflow_dispatch.branch1.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
slsa-framework/example-trw v1.11.0
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.delegator-generic.workflow_dispatch.main.checkout.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
slsa-framework/example-trw v1.11.0
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.delegator-generic.workflow_dispatch.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
slsa-framework/example-trw v1.11.0
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.delegator-lowperms.create.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.delegator-lowperms.push.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.delegator-lowperms.release.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.delegator-lowperms.tag.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.delegator-lowperms.workflow_dispatch.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
slsa-framework/example-trw v1.11.0
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.gcb.push.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
google-github-actions/auth v2
google-github-actions/setup-gcloud v2.1.0@98ddc00a17442e89a24bbf282954a3b65ce6d200
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.gcb.tag.main.annotated-build.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
google-github-actions/auth v2
google-github-actions/setup-gcloud v2.1.0@98ddc00a17442e89a24bbf282954a3b65ce6d200
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.gcb.workflow_dispatch.main.dockerfile.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
google-github-actions/auth v2
google-github-actions/setup-gcloud v2.1.0@98ddc00a17442e89a24bbf282954a3b65ce6d200
.github/workflows/e2e.generic.push.branch1.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4
bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.push.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4
bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.push.main.upload-tag-name.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4
bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.release.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4
bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.schedule.main.adversarial-invalidpath.slsa3.yml
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.schedule.main.adversarial-invalidsubjects.slsa3.yml
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.schedule.main.default.slsa3.yml
actions/checkout v4
bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.schedule.main.multi-uses.slsa3.yml
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.schedule.main.provenance-name.slsa3.yml
actions/checkout v4
bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4
bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.tag.main.annotated.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.tag.main.assets.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4
bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4
goreleaser/goreleaser-action v5.0.0@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4
bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml
slsa-framework/slsa-github-generator v2.0.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml
ramonpetgrave64/slsa-github-generator v2.0.0-rc.0
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.workflow_dispatch.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4
bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects-adversarial-format.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects-adversarial-sha256.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.workflow_dispatch.main.tagname.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.generic.workflow_dispatch.main.workflow_inputs.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4
bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.go.push.branch1.config-ldflags.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.go.push.main.config-ldflags.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.go.push.main.config-noldflags.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.go.release.main.config-ldflags-assets.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.go.release.main.config-ldflags-noassets.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.go.schedule.main.adversarial-binary-upload.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.go.schedule.main.adversarial-build-provenance.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.go.schedule.main.adversarial-build.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.go.schedule.main.adversarial-invalidpath.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.go.schedule.main.config-ldflags-main.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.go.schedule.main.config-noldflags.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.go.schedule.main.noldflags-multi-uses.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
.github/workflows/e2e.go.tag.branch1.config-ldflags-assets.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11
actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
We don't currently verify the input
field of a workflow_dispatch
trigger are properly populated.
I think we need to:
@ianlewis do we have other tests to be sure it works before we announce v1 release?
With attached provenance, testing CLI verification with a container with bad provenance attached is difficult. See #104 (comment)
We can manipulate the container with cosign/crane, but cannot do this in the shell script right now
If the path or names of inputs to the reusable workflow are not correct then the e2e test workflow doesn't run at all and doesn't create GitHub issues. We need to find a way to have issues created even when the workflow is invalid.
We currently only verify at HEAD https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e.gcb.default.verify.sh#L17
The assertion functions for the bash script don't seem to work. It may be because of the set -euo pipefail
we use.
The e2e-delete-old-releases.sh
script only deletes old 'releases'. It does not delete old tags for those releases.
GitHub does not trigger GitHub Actions on new releases if the tag is not new. The script should remote delete the tag for the release as well.
As we fix bugs and add features, we will need to perform different tests based on the version of the verifier.
It would be helpful to have functions like version_lt
, version_gt
, version_range
, major_lt
, etc
Describe the bug
I know this is an example repository, but if we are expecting people to install on their own systems, we should try to follow security best practices as well. If the example is no longer valid, we could either repurpose or deprecate the repo.
Improve repository's OpenSSF Scorecard score (currently at 4.1)
To Reproduce
docker run -e GITHUB_AUTH_TOKEN gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/slsa-framework/example-package --format=json > scorecard_slsa-framework_example-package.json
Expected behavior
Additional context
Attempted to upload the JSON file, but github does not allow me to. Related to recommendation of securing our repos: slsa-framework/slsa#424
Let's update https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.generic.slsa2.yml to follow the same structure as https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.go.schedule.main.slsa3.yml
Feel free to comment how to improve the current setup.
@ianlewis do you want to take a stab at it?
After slsa-framework/slsa-verifier#231
we will have two sub-commands added to the verifier: verify-artifact
and verify-container
.
Then, we will also have the following transformation on argument names:
# provenance -> provenance-path
# source -> source-uri
# tag -> source-tag
# versioned-tag -> source-versioned-tag
# branch -> source-branch
# workflow-input -> build-workflow-input
WDYT about making a e2e_verifier_arg_transformer $tag
that returns a function who's signature is func $argument
and returns the correct argument name? Likewise, we can make e2e_verifier_subcommand_transformer $tag
that returns a func whos signature is func $artifact-type
and returns either verify-artifact
or "" for previous versions?
I am not so well-versed in bash scripting, but I think I can do something like that.
I would like to update tests that are supposed to fail to be marked as succeeded workflows. This is so we can easily look at the list of workflow runs and find what's broken.
Right now it's really hard to see if tests are actually broken or are working fine just based on the workflow runs page.
See here:
https://github.com/slsa-framework/example-package/actions/runs/4443615380/jobs/7801046760
when creating a new release, we don't skip over pre-release
also, make sure pre-releases are deleted in the cleanup script.
Add linter config to catch issues with shell scripts and yaml etc.
This issue tracks action items left for GCB verification support.
Currently, the workflows run on two schedules, a biweekly one and a daily one. The biweekly one triggers a build, while the daily one retrieves the latest build from that image and verifies it.
Currently, we test:
Things to note:
branch1
. Tag verification is skipped because we aren't verifying on GITHUB_REF_TYPE tag (we build on tag, but verify on daily schedule)We need to fix this. I think the easiest way is to give each test its own MAJOR number
This is missing, let's add it.
Lots of scripts are inline in yaml and we'd like to externalize into their own files as much as possible so that linters will run on them etc.
Because it's still WIP, i create issues on a personal repo when e2e fail see https://github.com/laurentsimon/slsa-on-github-test/issues
I will move these to the slsa-github-generator-go website once the last couple e2e tests are commplete.
The entrypoint seems to be empty... If I read the error properly.
/cc @ianlewis
There is a lot of redundant code in e2e tests that we may be able to get rid of by creating reusable GitHub actions
The builder name is currently hardcoded in https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e-verify.sh#L143
We should make it parameterizable, e.g. via a BUILDER
env variables declared in workflows.
This will allow us to support other builders
We hardcode THIS_FILE in workflows. We may replace it by retrieving i dynamically via run APIs slsa-framework/slsa-github-generator#11 (comment)
The workflow name is used by several workflows, so we should ensure they are unique
The github.com/pborman/uuid
dependency is not defined in BUILD
.
$ bazel build //:hello
INFO: SHA256 (https://golang.org/dl/?mode=json&include=all) = a4d705c35801dd9f1977d7ab1e06541f2930ee95d07cecd4cd9384a8b5022b74
INFO: Analyzed target //:hello (36 packages loaded, 7185 targets configured).
INFO: Found 1 target...
ERROR: /usr/local/google/home/ianlewis/tmp/example-package/BUILD:3:10: GoCompilePkg hello.a failed: (Exit 1): builder failed: error executing command bazel-out/host/bin/external/go_sdk/builder compilepkg -sdk external/go_sdk -installsuffix linux
_amd64 -src main.go -p main -package_list bazel-out/host/bin/external/go_sdk/packages.txt -o ... (remaining 7 argument(s) skipped)
Use --sandbox_debug to see verbose messages from the sandbox builder failed: error executing command bazel-out/host/bin/external/go_sdk/builder compilepkg -sdk external/go_sdk -installsuffix linux_amd64 -src main.go -p main -package_list bazel-o
ut/host/bin/external/go_sdk/packages.txt -o ... (remaining 7 argument(s) skipped)
Use --sandbox_debug to see verbose messages from the sandbox
compilepkg: missing strict dependencies:
/usr/local/google/home/ianlewis/.cache/bazel/_bazel_ianlewis/ecc6b2c9535458cf9591ab3a5314645a/sandbox/linux-sandbox/3/execroot/__main__/main.go: import of "github.com/pborman/uuid"
No dependencies were provided.
Check that imports in Go sources match importpath attributes in deps.
Target //:hello failed to build
Use --verbose_failures to see the command lines of failed build steps.
INFO: Elapsed time: 14.398s, Critical Path: 1.33s
INFO: 7 processes: 5 internal, 2 linux-sandbox.
FAILED: Build did NOT complete successfully
We need to share the scripts between the main repo and this one to avoid wasting time updating each independently.
See slsa-framework/slsa-github-generator#26
We have default DEFAULT_VERSION
used in workflows that release. We need to validate there are unique to each workflow.
We need common verify function for the tests
Instead of using curl, we could use the gh CLI gh api -H "Accept: application/vnd.github.v3+json"...
Using this to track progress here for 1.0 docker-based verification, so that for delegator you can reference it.
One of the use cases of using SLSA generators is generating artifacts with GoReleaser and using a generic generator to generate provenance, so, it'd be good to add an example of this to ensure that everything is working as we expected during new releases of both GoReleaser and generators. Maybe we could add draft-release support to test the new behavior slsa-framework/slsa-github-generator#1476.
/cc @caarlos0
WDYT @ianlewis @laurentsimon @asraa ?
temporarily to test verification of multiple subjects. It currently calls the verification scripts 3 times, meaning that it compiles the verifier 3 times.
We need to update the scripts to verify the 3 artifacts with a single call.
/cc @ianlewis
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.