slsa-framework / example-package Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
example-package's People
Contributors
Stargazers
Watchers
Forkers
marklodato laurentsimon ianlewis openmev asraa mihaimaruseac renovate-bot kpk47 qpc-github garrettwong 3v01one enteraga6 topimiettinen samkenxstream adamkorcz fairhopeweb hhp8088 ramonpetgrave64 jul-shexample-package's Issues
Validate version ranges are unique
We have default DEFAULT_VERSION used in workflows that release. We need to validate there are unique to each workflow.
Feature: remove THIS_FILE
We hardcode THIS_FILE in workflows. We may replace it by retrieving i dynamically via run APIs slsa-framework/slsa-github-generator#11 (comment)
Feature: replace curl with `gh api`
Instead of using curl, we could use the gh CLI gh api -H "Accept: application/vnd.github.v3+json"...
Add SLSA v1.0 Provenance verification
Using this to track progress here for 1.0 docker-based verification, so that for delegator you can reference it.
BUG: release tests compete for new version number
We need to fix this. I think the easiest way is to give each test its own MAJOR number
BUG: main and branch1
When cutting a release for main and when branch1 is at the same commit, the release trigger sometimes indicates that the release if for the branch1 instead of main. This makes workflows that expect main branch exit early and not run at all.
Here's an example https://github.com/slsa-framework/example-package/actions/runs/2476105727:
THIS_FILE: e2e.go.tag.main.config-ldflags-assets-version.slsa3.yml
mismatch branch: file contains refs/heads/main; GitHub env contains refs/heads/branch1
What's really strange is that we explicitly set the branch when creating the release https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e-create-release.sh#L51
Feature: create shared script for invoking slsa verify
Externalize scripts
Lots of scripts are inline in yaml and we'd like to externalize into their own files as much as possible so that linters will run on them etc.
Document use of PAT token
We need to use personal access tokens for some actions in e2e tests. We should document what those actions are and what scopes the PAT needs to have, and how to create one.
Why do we need PAT?
- push using
github.tokendoes not trigger subsequent workflows: https://github.community/t/push-from-action-does-not-trigger-subsequent-action/16854 - to create issues in the slsa-framework/slsa-github-generator repo since it's not the same repository.
- to create releases for release trigger e2e tests
What scopes do we need:
- repo
- ???
Docker base image verification check
Fix vM.N handling for verifier
FAILED: SLSA verification failed: v14.2.: invalid semantic version
โ 2 == 0 :: 14.2. versioned-tag vM.N.P (14.2.) should be correct
Error: Process completed with exit code 1.
enable GCB verification for older version
We currently only verify at HEAD https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e.gcb.default.verify.sh#L17
Add a GitHub action that exercises the Bazel build path
Handle updates in verifier CLI arguments and subcommands
After slsa-framework/slsa-verifier#231
we will have two sub-commands added to the verifier: verify-artifact and verify-container.
Then, we will also have the following transformation on argument names:
# provenance -> provenance-path
# source -> source-uri
# tag -> source-tag
# versioned-tag -> source-versioned-tag
# branch -> source-branch
# workflow-input -> build-workflow-input
WDYT about making a e2e_verifier_arg_transformer $tag that returns a function who's signature is func $argument and returns the correct argument name? Likewise, we can make e2e_verifier_subcommand_transformer $tag that returns a func whos signature is func $artifact-type and returns either verify-artifact or "" for previous versions?
I am not so well-versed in bash scripting, but I think I can do something like that.
Fix linter errors
Since we can't block on lint errors we have some errors that are generated w/ the current code. We should fix those.
Feature: Action to install scripts
We need to share the scripts between the main repo and this one to avoid wasting time updating each independently.
See slsa-framework/slsa-github-generator#26
Helper function for version handling
As we fix bugs and add features, we will need to perform different tests based on the version of the verifier.
It would be helpful to have functions like version_lt, version_gt, version_range, major_lt, etc
Feature: update e2e tests for generic repo
Let's update https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.generic.slsa2.yml to follow the same structure as https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.go.schedule.main.slsa3.yml
Feel free to comment how to improve the current setup.
@ianlewis do you want to take a stab at it?
Feature: customizable builder name
The builder name is currently hardcoded in https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e-verify.sh#L143
We should make it parameterizable, e.g. via a BUILDER env variables declared in workflows.
This will allow us to support other builders
Add link to workflow runs page in created issues
Validate that workflow names are unique
The workflow name is used by several workflows, so we should ensure they are unique
BUG: assert_eq does not work
The assertion functions for the bash script don't seem to work. It may be because of the set -euo pipefail we use.
Dependency Dashboard
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
Awaiting Schedule
These updates are awaiting their schedule. Click on a checkbox to get an update now.
- Update golang:1.21 Docker digest to 392d2b6
- Update dependency org.apache.maven.plugins:maven-deploy-plugin to v3.1.2
- Update dependency org.apache.maven.plugins:maven-shade-plugin to v3.5.3
- Update dependency org.apache.maven.plugins:maven-source-plugin to v3.3.1
- Update github-actions (
actions/checkout,actions/download-artifact,actions/setup-go,actions/setup-node,actions/upload-artifact,docker/build-push-action,docker/login-action,docker/setup-buildx-action,golangci/golangci-lint-action,google-github-actions/auth,goreleaser/goreleaser-action,sigstore/cosign-installer) - Update npm (
@actions/artifact,@actions/http-client,@octokit/action) - Update dependency bazel to v7.1.2
- Update dependency gradle to v8.7
- Update dependency io_bazel_rules_go to v0.47.1
- Update dependency org.apache.maven.plugins:maven-gpg-plugin to v3.2.4
- Update dependency typescript to v5.4.5
- Update golang Docker tag to v1.22
- Update dependency @octokit/action to v7
- Update github-actions (major) (
golangci/golangci-lint-action,slsa-framework/example-trw)
Warning
Renovate failed to look up the following dependencies: Failed to look up maven package io.github.slsa-framework.slsa-github-generator:hash-maven-plugin.
Files affected: e2e/maven/workflow_dispatch/pom.xml
Detected dependencies
Note
Detected dependencies section has been truncated
bazel
WORKSPACE
io_bazel_rules_go v0.45.1
bazelisk
.bazelversion
bazel 7.0.2
cloudbuild
cloudbuild.yaml
dockerfile
Dockerfile
golang 1.21@sha256:d83472f1ab5712a6b2b816dc811e46155e844ddc02f5f5952e72c6deedafed77gcr.io/distroless/static sha256:41972110a1c1a5c0b6adb283e8aa092c43c31f7c5d79b8656fbffff2c3e61f05
github-actions
.github/workflows/e2e.container-based.push.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container-based.push.main.multi.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container-based.schedule.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container-based.schedule.main.gcp-workload-identity.slsa3.yml
google-github-actions/auth v2.1.0@5a50e581162a13f4baa8916d01180d2acbc04363actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56google-github-actions/auth v2.1.0@5a50e581162a13f4baa8916d01180d2acbc04363docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046dactions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container-based.schedule.main.matrix.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container-based.schedule.main.registry-username-secret.yml
docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046dactions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container-based.schedule.main.registry-username.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046dactions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container-based.tag.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml
slsa-framework/slsa-github-generator v2.0.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container-based.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml
ramonpetgrave64/slsa-github-generator v2.0.0-rc.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container-based.workflow_dispatch.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container.push.branch1.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container.push.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container.schedule.main.continue-on-error.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container.schedule.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container.schedule.main.provenance-repository.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container.tag.branch1.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container.tag.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container.tag.main.gcp-workload-identity.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11google-github-actions/auth v2.1.0@5a50e581162a13f4baa8916d01180d2acbc04363actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11google-github-actions/auth v2.1.0@5a50e581162a13f4baa8916d01180d2acbc04363sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container.tag.main.registry-username-secret.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container.workflow_dispatch.branch1.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56slsa-framework/slsa-github-generator v2.0.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56ramonpetgrave64/slsa-github-generator v2.0.0-rc.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container.workflow_dispatch.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.container.workflow_dispatch.main.workflow_inputs.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11docker/setup-buildx-action v3.0.0@f95db51fddba0c2d1ec667646a06c2ce06100226docker/login-action v3.0.0@343f7c4344506bcbf9b4de18042ae17996df046ddocker/metadata-action v5.5.1@8e5442c4ef9f78752691e2d8f8d19755c6f78e81docker/build-push-action v5.1.0@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11sigstore/cosign-installer v3.4.0@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.delegator-generic.create.main.checkout.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427slsa-framework/example-trw v1.11.0actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.delegator-generic.create.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427slsa-framework/example-trw v1.11.0actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.delegator-generic.push.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427slsa-framework/example-trw v1.11.0actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.delegator-generic.release.main.checkout.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427slsa-framework/example-trw v1.11.0actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.delegator-generic.release.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427slsa-framework/example-trw v1.11.0actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.delegator-generic.tag.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427slsa-framework/example-trw v1.11.0actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.delegator-generic.workflow_dispatch.branch1.checkout.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427slsa-framework/example-trw v1.11.0actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.delegator-generic.workflow_dispatch.branch1.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427slsa-framework/example-trw v1.11.0actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.delegator-generic.workflow_dispatch.main.checkout.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427slsa-framework/example-trw v1.11.0actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.delegator-generic.workflow_dispatch.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427slsa-framework/example-trw v1.11.0actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.delegator-lowperms.create.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.delegator-lowperms.push.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.delegator-lowperms.release.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.delegator-lowperms.tag.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.delegator-lowperms.workflow_dispatch.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11slsa-framework/example-trw v1.11.0actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.gcb.push.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11google-github-actions/auth v2google-github-actions/setup-gcloud v2.1.0@98ddc00a17442e89a24bbf282954a3b65ce6d200actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.gcb.tag.main.annotated-build.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11google-github-actions/auth v2google-github-actions/setup-gcloud v2.1.0@98ddc00a17442e89a24bbf282954a3b65ce6d200actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.gcb.workflow_dispatch.main.dockerfile.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11google-github-actions/auth v2google-github-actions/setup-gcloud v2.1.0@98ddc00a17442e89a24bbf282954a3b65ce6d200.github/workflows/e2e.generic.push.branch1.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.push.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.push.main.upload-tag-name.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.release.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.schedule.main.adversarial-invalidpath.slsa3.yml
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.schedule.main.adversarial-invalidsubjects.slsa3.yml
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.schedule.main.default.slsa3.yml
actions/checkout v4bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.schedule.main.multi-uses.slsa3.yml
actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.schedule.main.provenance-name.slsa3.yml
actions/checkout v4bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.tag.branch1.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.tag.main.annotated.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.tag.main.assets.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.tag.main.goreleaser-assets-multi-subjects.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4goreleaser/goreleaser-action v5.0.0@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.workflow_dispatch.branch1.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-builder-binary.slsa3.yml
slsa-framework/slsa-github-generator v2.0.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.workflow_dispatch.main.adversarial-verifier-binary.slsa3.yml
ramonpetgrave64/slsa-github-generator v2.0.0-rc.0actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.workflow_dispatch.main.default.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects-adversarial-format.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects-adversarial-sha256.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.workflow_dispatch.main.large-subjects.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.workflow_dispatch.main.tagname.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.generic.workflow_dispatch.main.workflow_inputs.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4bazelbuild/setup-bazelisk v3.0.0@b39c379c82683a5f25d34f0d062761f62693e0b2actions/upload-artifact v4.3.1@5d5d22a31266ced268874388b861e4b58bb5c2f3actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.go.push.branch1.config-ldflags.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.go.push.main.config-ldflags.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.go.push.main.config-noldflags.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.go.release.main.config-ldflags-assets.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.go.release.main.config-ldflags-noassets.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.go.schedule.main.adversarial-binary-upload.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.go.schedule.main.adversarial-build-provenance.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.go.schedule.main.adversarial-build.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.go.schedule.main.adversarial-invalidpath.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.go.schedule.main.config-ldflags-main-dir.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.go.schedule.main.config-ldflags-main.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.go.schedule.main.config-noldflags.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.go.schedule.main.noldflags-multi-uses.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427actions/setup-go v5.0.0@0c52d547c9bc32b1aa3301fd7a9cb496313a4491actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11.github/workflows/e2e.go.tag.branch1.config-ldflags-assets.slsa3.yml
actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/checkout v4.1.1@b4ffde65f46336ab88eb53be808477a3936bae11actions/download-artifact v4.1.4@c850b930e6ba138125429b7e5c93fc707a7f8427
- Check this box to trigger a request for Renovate to run again on this repository
Common verify function for builders
We need common verify function for the tests
Verifier e2e: Use programmatic version instead of requiring v15
Enable linters
Add linter config to catch issues with shell scripts and yaml etc.
Add malicious provenance test for OCI container images
With attached provenance, testing CLI verification with a container with bad provenance attached is difficult. See #104 (comment)
We can manipulate the container with cosign/crane, but cannot do this in the shell script right now
Version release handling
As we create more and more release, we may miss the latest release (we currently list 200 in the script). I don't know how the results are ordered when querying the API. If it's chronological, we're fine. But I've already seen some versions being missed, so I suspect it's not...
We may want to delete releases on a regular basis to clean them up, once #34 is resolved
Feature: create action to encapsulate tests
There is a lot of redundant code in e2e tests that we may be able to get rid of by creating reusable GitHub actions
[GCB] Improve GCB verification tracking issue
This issue tracks action items left for GCB verification support.
Currently, the workflows run on two schedules, a biweekly one and a daily one. The biweekly one triggers a build, while the daily one retrieves the latest build from that image and verifies it.
- Add freshness check on build - in case the builds fail, detect that from the verifiers
- Add provenance content verification to the payload: https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e.gcb.default.verify.sh#L19
- Investigate 1st generation and 2nd generation repository generation
- Add non-annotated tag push.
Currently, we test:
Things to note:
- We cannot test branch or tag options in the slsa-verifier for GCB - we only test that we can verify these triggers - so there doesn't seem to be a point in testing
branch1. Tag verification is skipped because we aren't verifying on GITHUB_REF_TYPE tag (we build on tag, but verify on daily schedule) - Some workflows do not rebuilds on workflow_dispatch to prevent overbuilding. Consider an input here, like this - on the other hand, you can manually trigger builds by clicking RUN on the trigger page
- Only push to branch and tag are supported for GitHub repository triggers in GCB.
Prereleases are not enumerated in e2e-create-release
See here:
https://github.com/slsa-framework/example-package/actions/runs/4443615380/jobs/7801046760
when creating a new release, we don't skip over pre-release
also, make sure pre-releases are deleted in the cleanup script.
Default version range for new workflows
The readme: If there is no existing version for the $THIS_FILE, release creation will fail. This mean that when creating a new e2e workflow for a tag trigger, you need to manually create the first release and the notes must contain the $THIS_FILE
We need to automate this part. The release script can be smarter by taking a default version range and creating the first release.
It should also verify that each version range is unique to a workflow, ie there's no collision between them
Test for release assets for generic generator
This is missing, let's add it.
More efficient verification of multi-subject generic provenance
temporarily to test verification of multiple subjects. It currently calls the verification scripts 3 times, meaning that it compiles the verifier 3 times.
We need to update the scripts to verify the 3 artifacts with a single call.
/cc @ianlewis
goreleaser example
One of the use cases of using SLSA generators is generating artifacts with GoReleaser and using a generic generator to generate provenance, so, it'd be good to add an example of this to ensure that everything is working as we expected during new releases of both GoReleaser and generators. Maybe we could add draft-release support to test the new behavior slsa-framework/slsa-github-generator#1476.
/cc @caarlos0
WDYT @ianlewis @laurentsimon @asraa ?
Fix annotated tag support at HEAD
slsa-framework/slsa-verifier#193
Currently, we exit early out of the verification when verifying annotated tags for less than version 1.3 OR HEAD
Fix, so we verify at HEAD
Container: Add a workflow for verifier e2e test generation
slsa-framework/slsa-github-generator#1108
Similar to the other .github/workflows/verifier-e2e* workflows.
Example project doesn't build
The github.com/pborman/uuid dependency is not defined in BUILD.
$ bazel build //:hello
INFO: SHA256 (https://golang.org/dl/?mode=json&include=all) = a4d705c35801dd9f1977d7ab1e06541f2930ee95d07cecd4cd9384a8b5022b74
INFO: Analyzed target //:hello (36 packages loaded, 7185 targets configured).
INFO: Found 1 target...
ERROR: /usr/local/google/home/ianlewis/tmp/example-package/BUILD:3:10: GoCompilePkg hello.a failed: (Exit 1): builder failed: error executing command bazel-out/host/bin/external/go_sdk/builder compilepkg -sdk external/go_sdk -installsuffix linux
_amd64 -src main.go -p main -package_list bazel-out/host/bin/external/go_sdk/packages.txt -o ... (remaining 7 argument(s) skipped)
Use --sandbox_debug to see verbose messages from the sandbox builder failed: error executing command bazel-out/host/bin/external/go_sdk/builder compilepkg -sdk external/go_sdk -installsuffix linux_amd64 -src main.go -p main -package_list bazel-o
ut/host/bin/external/go_sdk/packages.txt -o ... (remaining 7 argument(s) skipped)
Use --sandbox_debug to see verbose messages from the sandbox
compilepkg: missing strict dependencies:
/usr/local/google/home/ianlewis/.cache/bazel/_bazel_ianlewis/ecc6b2c9535458cf9591ab3a5314645a/sandbox/linux-sandbox/3/execroot/__main__/main.go: import of "github.com/pborman/uuid"
No dependencies were provided.
Check that imports in Go sources match importpath attributes in deps.
Target //:hello failed to build
Use --verbose_failures to see the command lines of failed build steps.
INFO: Elapsed time: 14.398s, Critical Path: 1.33s
INFO: 7 processes: 5 internal, 2 linux-sandbox.
FAILED: Build did NOT complete successfully
Tags for old releases should be deleted as well.
The e2e-delete-old-releases.sh script only deletes old 'releases'. It does not delete old tags for those releases.
GitHub does not trigger GitHub Actions on new releases if the tag is not new. The script should remote delete the tag for the release as well.
Create issues even when workflow is invalid
If the path or names of inputs to the reusable workflow are not correct then the e2e test workflow doesn't run at all and doesn't create GitHub issues. We need to find a way to have issues created even when the workflow is invalid.
Test verification at verifier's HEAD and for all previous released versions
Stagger scheduled e2e tests more
Stagger tests more to mitigate rate limit errors
workflow_dispatch input
We don't currently verify the input field of a workflow_dispatch trigger are properly populated.
I think we need to:
- Verify it's empty when no inputs are provided
- Verify it's properly populated when we pass some options
@ianlewis do we have other tests to be sure it works before we announce v1 release?
Workflow Dispatch e2e tests: Permissions error
Are any of them running?
See https://github.com/slsa-framework/example-package/actions/runs/3110439161
THIS_FILE: e2e.generic.workflow_dispatch.main.default.slsa3.yml
{
"message": "Resource not accessible by integration",
"documentation_url": "https://docs.github.com/rest/reference/actions#create-a-workflow-dispatch-event"
}
Update tests that are expected to "fail" to succeed
I would like to update tests that are supposed to fail to be marked as succeeded workflows. This is so we can easily look at the list of workflow runs and find what's broken.
Right now it's really hard to see if tests are actually broken or are working fine just based on the workflow runs page.
PAT is being rate-limited
Update set-output commands
Remove old artifact-tamper action
I updated the Action by copying the old Action (https://github.com/slsa-framework/example-package/tree/main/.github/actions/tamper-artifact) into a new one (https://github.com/slsa-framework/example-package/tree/main/.github/actions/tamper-artifact-new). Once it all works, we can delete the old one and rename the new one.
Improve Scorecard Score
Describe the bug
I know this is an example repository, but if we are expecting people to install on their own systems, we should try to follow security best practices as well. If the example is no longer valid, we could either repurpose or deprecate the repo.
Improve repository's OpenSSF Scorecard score (currently at 4.1)
To Reproduce
docker run -e GITHUB_AUTH_TOKEN gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/slsa-framework/example-package --format=json > scorecard_slsa-framework_example-package.json
Expected behavior
- Branch Protections could be improved
- CII-Best-Practices Badge could be obtained
- Project should always have reviews/CI-Tests when possible
- Project should be Fuzzed
- Dependencies should be updated regularly with automated tooling
- All dependencies should be pinned via hash
- SAST Tool should be used to scan upon code commits
- Security Policy should be created
- Token Permissions should follow principle of least privilege
Screenshots
Additional context
Attempted to upload the JSON file, but github does not allow me to. Related to recommendation of securing our repos: slsa-framework/slsa#424
BUG: E2E failing
Because it's still WIP, i create issues on a personal repo when e2e fail see https://github.com/laurentsimon/slsa-on-github-test/issues
I will move these to the slsa-github-generator-go website once the last couple e2e tests are commplete.
The entrypoint seems to be empty... If I read the error properly.
/cc @ianlewis
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.