Feature: update e2e tests for generic repo about example-package HOT 4 OPEN

Sure. I can take a look at it.

from example-package.

I'm still actively updating https://github.com/slsa-framework/example-package/tree/main/.github/workflows. I have a couple more to add then I will start adding adversarial e2e tests (caller workflow tampers with the artifact registry we use to pass binaries around). I loosely keep track of it in slsa-framework/slsa-github-generator#76
Don't hesitate to ask if you have questions: I have not documented everything yet

from example-package.

@laurentsimon I see, you've gone ahead and done a lot of the work already.

Why don't you get started on the adversarial tests and I can handle the TODOs you've got in e2e-verify.sh
https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e-verify.sh

I'll also spend some time understanding a bit more how it works and documenting it.

from example-package.

most TODOs in the e2e-verify.sh are done or cannot be done until we update the verifier (https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e-verify.sh#L176) or cut a release for the verifier (https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e-verify.sh#L177). The other TODOs need to be removed.

Feel free to use slsa-framework/slsa-github-generator#76 to add support:

• main field in config: https://github.com/slsa-framework/slsa-github-generator-go/blob/main/pkg/testdata/releaser-valid-main.yml#L13
• verification of builder env in e2e-verify.sh slsa-framework/slsa-github-generator-go#95

Let me know if you want to take these

from example-package.