From c241f40042eb057763385902b0517724604a29ad Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 1 Aug 2022 17:26:58 +0000 Subject: [PATCH 01/20] update Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 44 +++++++++++++++++++++++++++++++--- README.md | 11 +++++++++ 2 files changed, 52 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 002c105be36..a671e88ee8d 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -9,7 +9,9 @@ on: env: GO_VERSION: 1.18.5 jobs: - upload-release: + build: + outputs: + hashes: ${{ steps.hash.outputs.hashes }} runs-on: ubuntu-latest steps: - name: Checkout code into the Go module directory @@ -30,14 +32,50 @@ jobs: run: make GIT_TAG=${{ github.event.inputs.tag }} -f builder.Makefile cross - name: Compute checksums - run: cd bin; for f in *; do shasum --binary --algorithm 256 $f | tee -a checksums.txt > $f.sha256; done + working-directory: bin/ + run: for f in *; do shasum --binary --algorithm 256 $f | tee -a checksums.txt > $f.sha256; done + + - name: Generate SLSA subjects + id: hash + working-directory: bin/ + run: | + set -euo pipefail + echo "::set-output name=hashes::$(cat checksums.txt | base64 -w0)" - name: License run: cp packaging/* bin/ + - uses: actions/upload-artifact@v3 + with: + name: "bin" + path: "bin/*" + + provenance: + needs: [build] + permissions: + actions: read # To read the workflow path. + id-token: write # To sign the provenance. + contents: write # To add assets to a release. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 + with: + base64-subjects: "${{ needs.build.outputs.hashes }}" + + release: + needs: [build, provenance] + runs-on: ubuntu-latest + steps: + # Download binaries and license. + - uses: actions/download-artifact@v3 + with: + name: "bin" + # Download provenance file. + - uses: actions/download-artifact@v3 + with: + name: "${{ needs.provenance.outputs.attestation-name }}" + # Upload to release. - uses: ncipollo/release-action@v1 with: - artifacts: "bin/*" + artifacts: "*" generateReleaseNotes: true draft: true commit: "v2" diff --git a/README.md b/README.md index 8e6871b244e..7b4f3c527ec 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,7 @@ # Docker Compose v2 [![Actions Status](https://github.com/docker/compose/workflows/Continuous%20integration/badge.svg)](https://github.com/docker/compose/actions) +[![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev/images/gh-badge-level3.svg) ![Docker Compose](logo.png?raw=true "Docker Compose Logo") @@ -30,6 +31,16 @@ for Windows and macOS. You can download Docker Compose binaries from the [release page](https://github.com/docker/compose/releases) on this repository. +We generate [SLSA3 provenance](slsa.dev) using the OpenSSF's [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator). To verify the binaries: +1. Install the verification tool from [slsa-framework/slsa-verifier#installation](https://github.com/slsa-framework/slsa-verifier#installation) +1. Download the file named `attestation.intoto.jsonl` from the release +1. Run: +```shell +$ slsa-verifier -artifact-path -provenance attestation.intoto.jsonl -source github.com/docker/compose -branch v2 + PASSED: Verified SLSA provenance +``` + + Rename the relevant binary for your OS to `docker-compose` and copy it to `$HOME/.docker/cli-plugins` Or copy it into one of these folders for installing it system-wide: From e8bd1b72436241ebb826e5db487cc295ddef2703 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Tue, 9 Aug 2022 12:41:05 -0700 Subject: [PATCH 02/20] Update .github/workflows/release.yaml Co-authored-by: Nick Sieger Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a671e88ee8d..5ca1980a633 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -72,6 +72,11 @@ jobs: - uses: actions/download-artifact@v3 with: name: "${{ needs.provenance.outputs.attestation-name }}" + # Verify binaries if dry run + - name: Verify binaries + if: 'inputs.dry-run' + run: | + echo TODO: verify with slsa-verifier # Upload to release. - uses: ncipollo/release-action@v1 with: From 1cadf8e26a19157d4085d606f3a9b9d43066e2ce Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Tue, 9 Aug 2022 12:41:18 -0700 Subject: [PATCH 03/20] Update .github/workflows/release.yaml Co-authored-by: Nick Sieger Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 5ca1980a633..587cc678fa8 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -79,6 +79,7 @@ jobs: echo TODO: verify with slsa-verifier # Upload to release. - uses: ncipollo/release-action@v1 + if: '! inputs.dry-run' with: artifacts: "*" generateReleaseNotes: true From b5b5130e835effa8690d5ddc01cf47ac38c29b82 Mon Sep 17 00:00:00 2001 From: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Date: Tue, 9 Aug 2022 12:41:36 -0700 Subject: [PATCH 04/20] Update .github/workflows/release.yaml Co-authored-by: Nick Sieger Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com> Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 587cc678fa8..949b9063cae 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -6,6 +6,11 @@ on: tag: description: "Release Tag" required: true + dry-run: + description: "Build, sign, verify but do not release" + required: false + type: boolean + default: true env: GO_VERSION: 1.18.5 jobs: From b123c210925a0954686a9fe139bd4cacce9a4b27 Mon Sep 17 00:00:00 2001 From: Milas Bowman Date: Tue, 2 Aug 2022 13:39:42 -0400 Subject: [PATCH 05/20] build: bump to Go 1.18.5 Can give 1.19 a bit of time before we upgrade ;) Signed-off-by: Milas Bowman Signed-off-by: laurentsimon --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 4f73eaaca89..e3aaa8c72d6 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -122,4 +122,4 @@ jobs: run: | rm -f /usr/local/bin/docker-compose cp bin/docker-compose /usr/local/bin - make e2e-compose-standalone + make e2e-compose-standalone \ No newline at end of file From 22afc9a3473e31bd054787db70fb4d3c4717c661 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 1 Aug 2022 17:26:58 +0000 Subject: [PATCH 06/20] update Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 949b9063cae..1032f974f5e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -12,7 +12,7 @@ on: type: boolean default: true env: - GO_VERSION: 1.18.5 + GO_VERSION: 1.18.4 jobs: build: outputs: @@ -30,7 +30,7 @@ jobs: - name: Setup docker CLI run: | - curl https://download.docker.com/linux/static/stable/x86_64/docker-20.10.17.tgz | tar xz + curl https://download.docker.com/linux/static/stable/x86_64/docker-20.10.3.tgz | tar xz sudo cp ./docker/docker /usr/bin/ && rm -rf docker && docker version - name: Build @@ -91,4 +91,4 @@ jobs: draft: true commit: "v2" token: ${{ secrets.GITHUB_TOKEN }} - tag: ${{ github.event.inputs.tag }} + tag: ${{ github.event.inputs.tag }} \ No newline at end of file From a72da9757a9fbb5c3198f2341901f93f2ed2ec0b Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 10 Aug 2022 22:57:02 +0000 Subject: [PATCH 07/20] Add verification Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 46 +++++++++++++++++++++++++++++++--- 1 file changed, 43 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 1032f974f5e..84c5c85aef9 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -11,8 +11,12 @@ on: required: false type: boolean default: true + +permissions: read-all + env: GO_VERSION: 1.18.4 + jobs: build: outputs: @@ -68,6 +72,8 @@ jobs: release: needs: [build, provenance] runs-on: ubuntu-latest + permissions: + contents: write steps: # Download binaries and license. - uses: actions/download-artifact@v3 @@ -77,11 +83,45 @@ jobs: - uses: actions/download-artifact@v3 with: name: "${{ needs.provenance.outputs.attestation-name }}" - # Verify binaries if dry run + # Verify binaries. - name: Verify binaries - if: 'inputs.dry-run' + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + PROVENANCE: "${{ needs.provenance.outputs.attestation-name }}" run: | - echo TODO: verify with slsa-verifier + set -euo pipefail + + # Download the verifier. This will be replaced by the GHA. + gh -R slsa-framework/slsa-verifier release download v1.2.0 -p "slsa-verifier-linux-amd64" + + # Note: see https://github.com/slsa-framework/slsa-verifier/blob/main/SHA256SUM.md + COMPUTED_HASH=$(sha256sum slsa-verifier-linux-amd64 | cut -d ' ' -f1) + EXPECTED_HASH="37db23392c7918bb4e243cdb097ed5f9d14b9b965dc1905b25bc2d1c0c91bf3d" + if [[ "$EXPECTED_HASH" != "$COMPUTED_HASH" ]];then + echo "error: expected $EXPECTED_HASH, computed $COMPUTED_HASH" + exit 1 + fi + chmod ug+x slsa-verifier-linux-amd64 + + # Verify all files, except LICENSE, .sha256 and checksums.txt files. + rm LICENSE *.sha256 checksums.txt + for f in *; + do + if [[ "$f" == "attestation.intoto.jsonl" ]] || [[ "$f" == "slsa-verifier-linux-amd64" ]]; then + continue + fi + + echo "verifying $f" + ./slsa-verifier-linux-amd64 -artifact-path "$f" \ + -provenance "$PROVENANCE" \ + -source "github.com/$GITHUB_REPOSITORY" \ + -branch v2 + + done + + # The slsa verifier is not part of the project. + rm ./slsa-verifier-linux-amd64 + # Upload to release. - uses: ncipollo/release-action@v1 if: '! inputs.dry-run' From 8faafef4b7e8e50187fb59e374f0b6fea646425d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 10 Aug 2022 22:59:39 +0000 Subject: [PATCH 08/20] update Signed-off-by: laurentsimon --- .github/workflows/ci.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index e3aaa8c72d6..4f73eaaca89 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -122,4 +122,4 @@ jobs: run: | rm -f /usr/local/bin/docker-compose cp bin/docker-compose /usr/local/bin - make e2e-compose-standalone \ No newline at end of file + make e2e-compose-standalone From 777022979709a80fa1bfe2ff0ff4f104137e8b5f Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 10 Aug 2022 23:00:10 +0000 Subject: [PATCH 09/20] update Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 84c5c85aef9..a16b9923937 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -131,4 +131,4 @@ jobs: draft: true commit: "v2" token: ${{ secrets.GITHUB_TOKEN }} - tag: ${{ github.event.inputs.tag }} \ No newline at end of file + tag: ${{ github.event.inputs.tag }} From 0c124a1a4e4eb989dbb53821b311cbfb6e5c66b3 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 10 Aug 2022 23:02:28 +0000 Subject: [PATCH 10/20] merge fix Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index a16b9923937..33bd65389ca 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -34,7 +34,7 @@ jobs: - name: Setup docker CLI run: | - curl https://download.docker.com/linux/static/stable/x86_64/docker-20.10.3.tgz | tar xz + curl https://download.docker.com/linux/static/stable/x86_64/docker-20.10.17.tgz | tar xz sudo cp ./docker/docker /usr/bin/ && rm -rf docker && docker version - name: Build From 71abac2fc9c63cc4c21205b2e408d64bc66da168 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 10 Aug 2022 23:11:27 +0000 Subject: [PATCH 11/20] update Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 33bd65389ca..9e683949dad 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -104,14 +104,17 @@ jobs: chmod ug+x slsa-verifier-linux-amd64 # Verify all files, except LICENSE, .sha256 and checksums.txt files. - rm LICENSE *.sha256 checksums.txt for f in *; do - if [[ "$f" == "attestation.intoto.jsonl" ]] || [[ "$f" == "slsa-verifier-linux-amd64" ]]; then + if [[ "$f" == "attestation.intoto.jsonl" ]] || \ + [[ "$f" == "slsa-verifier-linux-amd64" ]] || \ + [[ "$f" == "LICENSE" ]] || \ + [[ "$f" == "checksums.txt" ]] || \ + [[ $f == *.sha256 ]]; then continue fi - echo "verifying $f" + echo "Verifying $f" ./slsa-verifier-linux-amd64 -artifact-path "$f" \ -provenance "$PROVENANCE" \ -source "github.com/$GITHUB_REPOSITORY" \ From de5b1902b9d1dd296702d06cefc472996a6b941d Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 10 Aug 2022 23:28:40 +0000 Subject: [PATCH 12/20] update Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 8 ++------ 1 file changed, 2 insertions(+), 6 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 9e683949dad..c0a9ea2e88e 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -103,14 +103,10 @@ jobs: fi chmod ug+x slsa-verifier-linux-amd64 - # Verify all files, except LICENSE, .sha256 and checksums.txt files. + # Verify the binaries. for f in *; do - if [[ "$f" == "attestation.intoto.jsonl" ]] || \ - [[ "$f" == "slsa-verifier-linux-amd64" ]] || \ - [[ "$f" == "LICENSE" ]] || \ - [[ "$f" == "checksums.txt" ]] || \ - [[ $f == *.sha256 ]]; then + if [[ ! -f "$f.sha256" ]]; then continue fi From 56fb4a8b3629c48e3ee42b02d2e9d45fd0aa8887 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Wed, 10 Aug 2022 23:29:22 +0000 Subject: [PATCH 13/20] merge fix Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index c0a9ea2e88e..7ba616edeac 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -15,7 +15,7 @@ on: permissions: read-all env: - GO_VERSION: 1.18.4 + GO_VERSION: 1.18.5 jobs: build: From 5430ff8a57f0cdb0b39cfd1d6c8322c831579885 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 11 Aug 2022 00:51:55 +0000 Subject: [PATCH 14/20] update Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 7ba616edeac..8094c6b4844 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -93,7 +93,7 @@ jobs: # Download the verifier. This will be replaced by the GHA. gh -R slsa-framework/slsa-verifier release download v1.2.0 -p "slsa-verifier-linux-amd64" - + chmod ug+x slsa-verifier-linux-amd64 # Note: see https://github.com/slsa-framework/slsa-verifier/blob/main/SHA256SUM.md COMPUTED_HASH=$(sha256sum slsa-verifier-linux-amd64 | cut -d ' ' -f1) EXPECTED_HASH="37db23392c7918bb4e243cdb097ed5f9d14b9b965dc1905b25bc2d1c0c91bf3d" @@ -101,7 +101,6 @@ jobs: echo "error: expected $EXPECTED_HASH, computed $COMPUTED_HASH" exit 1 fi - chmod ug+x slsa-verifier-linux-amd64 # Verify the binaries. for f in *; From 0a765a40da5a7e12f54e1f4c20a7d1fb155443c1 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 11 Aug 2022 01:02:15 +0000 Subject: [PATCH 15/20] update Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 30 +++++++++++++++++------------- 1 file changed, 17 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 8094c6b4844..09899da64ff 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -75,6 +75,22 @@ jobs: permissions: contents: write steps: + # Install the verifier + - name: Install the verfier + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + run: | + set -euo pipefail + + # Download the verifier. This will be replaced by the GHA. + gh -R slsa-framework/slsa-verifier release download v1.2.0 -p "slsa-verifier-linux-amd64" + chmod ug+x slsa-verifier-linux-amd64 + # Note: see https://github.com/slsa-framework/slsa-verifier/blob/main/SHA256SUM.md + COMPUTED_HASH=$(sha256sum slsa-verifier-linux-amd64 | cut -d ' ' -f1) + EXPECTED_HASH="37db23392c7918bb4e243cdb097ed5f9d14b9b965dc1905b25bc2d1c0c91bf3d" + if [[ "$EXPECTED_HASH" != "$COMPUTED_HASH" ]];then + echo "error: expected $EXPECTED_HASH, computed $COMPUTED_HASH" + exit 1 + fi # Download binaries and license. - uses: actions/download-artifact@v3 with: @@ -86,22 +102,10 @@ jobs: # Verify binaries. - name: Verify binaries env: - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} PROVENANCE: "${{ needs.provenance.outputs.attestation-name }}" run: | set -euo pipefail - # Download the verifier. This will be replaced by the GHA. - gh -R slsa-framework/slsa-verifier release download v1.2.0 -p "slsa-verifier-linux-amd64" - chmod ug+x slsa-verifier-linux-amd64 - # Note: see https://github.com/slsa-framework/slsa-verifier/blob/main/SHA256SUM.md - COMPUTED_HASH=$(sha256sum slsa-verifier-linux-amd64 | cut -d ' ' -f1) - EXPECTED_HASH="37db23392c7918bb4e243cdb097ed5f9d14b9b965dc1905b25bc2d1c0c91bf3d" - if [[ "$EXPECTED_HASH" != "$COMPUTED_HASH" ]];then - echo "error: expected $EXPECTED_HASH, computed $COMPUTED_HASH" - exit 1 - fi - # Verify the binaries. for f in *; do @@ -117,7 +121,7 @@ jobs: done - # The slsa verifier is not part of the project. + # The slsa verifier is not part of the project, so remove it. rm ./slsa-verifier-linux-amd64 # Upload to release. From 063311723594792c1f5ffe61a7a899f7287621b7 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 11 Aug 2022 01:02:35 +0000 Subject: [PATCH 16/20] update Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 09899da64ff..e3c4eb7397a 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -75,7 +75,7 @@ jobs: permissions: contents: write steps: - # Install the verifier + # Install the verifier. his be replaced with the GHA in the future. - name: Install the verfier GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | From 1ab0e2ab6cef7278c1f6cbac400e878a181696d3 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 11 Aug 2022 01:03:12 +0000 Subject: [PATCH 17/20] update Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e3c4eb7397a..6839ea924f1 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -106,7 +106,6 @@ jobs: run: | set -euo pipefail - # Verify the binaries. for f in *; do if [[ ! -f "$f.sha256" ]]; then From e1f8597e9608c71eee9814d6915376444d75e342 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 11 Aug 2022 01:07:02 +0000 Subject: [PATCH 18/20] update Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6839ea924f1..637a0f541d4 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -77,7 +77,8 @@ jobs: steps: # Install the verifier. his be replaced with the GHA in the future. - name: Install the verfier - GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} + env: + GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -euo pipefail From 004fe6e79f3f9be462a18d2b27d3fabc1f525db6 Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Thu, 11 Aug 2022 01:07:59 +0000 Subject: [PATCH 19/20] update Signed-off-by: laurentsimon --- .github/workflows/release.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 637a0f541d4..e50b941ee44 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -75,14 +75,13 @@ jobs: permissions: contents: write steps: - # Install the verifier. his be replaced with the GHA in the future. + # Install the verifier. This be replaced with the GHA in the future. - name: Install the verfier env: GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} run: | set -euo pipefail - # Download the verifier. This will be replaced by the GHA. gh -R slsa-framework/slsa-verifier release download v1.2.0 -p "slsa-verifier-linux-amd64" chmod ug+x slsa-verifier-linux-amd64 # Note: see https://github.com/slsa-framework/slsa-verifier/blob/main/SHA256SUM.md From 4efff15492edb1236f3884ae087da0649febdbfd Mon Sep 17 00:00:00 2001 From: laurentsimon Date: Mon, 15 Aug 2022 23:48:56 +0000 Subject: [PATCH 20/20] update --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 7b4f3c527ec..e8156a8ce00 100644 --- a/README.md +++ b/README.md @@ -36,7 +36,7 @@ We generate [SLSA3 provenance](slsa.dev) using the OpenSSF's [slsa-framework/sls 1. Download the file named `attestation.intoto.jsonl` from the release 1. Run: ```shell -$ slsa-verifier -artifact-path -provenance attestation.intoto.jsonl -source github.com/docker/compose -branch v2 +$ slsa-verifier -artifact-path -provenance attestation.intoto.jsonl -source github.com/docker/compose -branch v2 -workflow-input tag= PASSED: Verified SLSA provenance ```