From aec987bfb55cb1003ba043fdd1a67426eba751e3 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 1 Aug 2022 15:00:08 +0000 Subject: [PATCH] comments --- ci/generator-generic-ossf-slsa3-publish.yml | 12 +++++++----- ...erator-generic-ossf-slsa3-publish.properties.json | 4 ++-- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml index feadcf2..c8a3544 100644 --- a/ci/generator-generic-ossf-slsa3-publish.yml +++ b/ci/generator-generic-ossf-slsa3-publish.yml @@ -3,9 +3,8 @@ # separate terms of service, privacy policy, and support # documentation. -# This workflow lets you compile your Go project using a SLSA3 compliant builder -# This workflow will generate a so-called "provenance" file describing the steps -# that were performed to generate the final binary. +# This workflow lets you generate SLSA provenance file for your project. +# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements # The project is an initiative of the OpenSSF (openssf.org) and is developed at # https://github.com/slsa-framework/slsa-github-generator. # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. @@ -26,7 +25,7 @@ jobs: digests: ${{ steps.hash.outputs.digests }} steps: - uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3 + uses: actions/checkout@v3 # ======================================================== # @@ -52,7 +51,10 @@ jobs: run: | set -euo pipefail - echo "::set-output name=digests::$(sha256sum artifact1 artifact2 | base64 -w0)" + # List the artifacts the provenance will refer to. + files=$(ls artifact*) + # Generate the subjects (base64 encoded). + echo "::set-output name=digests::$(sha256sum $files | base64 -w0)" provenance: needs: [build] diff --git a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json index 2861c3f..32cf63d 100644 --- a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json +++ b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json @@ -2,6 +2,6 @@ "name": "SLSA Generic generator", "creator": "Open Source Security Foundation (OpenSSF)", "description": "Generate SLSA3 provenance for your existing release workflows", - "iconName": "go-ossf-slsa3-publish", - "categories": ["Continuous integration"] + "iconName": "generator-generic-ossf-slsa3-publish", + "categories": ["Continuous integration", "Go", "Elixir", "Erlang", "PHP", "Haskell", "Rust", "Java", "Scala", "Gradle", "Maven", "Python", "C", "C++", "TypeScript", "JavaScript", "npm", "Ruby", "HTML", "Composer", "Makefile", "Ada"] }