docs: add section for verify-github-attestation #858
Conversation
loosebazooka
changed the title
|
|
||
| Attestations produced by [attest-build-provenance](https://github.com/actions/attest-build-provenance) | ||
|
|
||
| Currently limited to artifacts built with the following builder-ids: |
There was a problem hiding this comment.
The documentation header makes this sound like this verifier supports all GitHub artifact attestations whereas we only support these hardcoded builder IDs. Is there anything we can add to make this more clear? References for how to onboard additional builder IDs?
There was a problem hiding this comment.
I'll update this.
I think this a bit of design quirk with slsa-verifier. Its kind of a convoluted code path but I think some further work here should allow any artifact attestation as long as you use the builder-id on the command line.
There was a problem hiding this comment.
This README doesn't really dive into how to "add" anything in any other section, so I'm going to leave it out.
loosebazooka
force-pushed
the
readme-gh-att
branch
from
8e4ad4e to
e519a38
Compare
Followup to #840 Resolves #849 Removes the experimental flag for verifying bazel attestations. TODO: - [ ] add example invocation for bazel #858 (review) - [ ] create a new release --------- Signed-off-by: Ramon Petgrave <[email protected]>
|
ignore those codeql failures, they're because I accidently pushed a branch to this repo instead of the loosebazooka/slsa-verifier repo |
Signed-off-by: Appu Goundan <[email protected]>
loosebazooka
force-pushed
the
readme-gh-att
branch
from
e519a38 to
543a19e
Compare
|
I think we merge post release? |
Merge before release, so pkg.go.dev docs can be updated. |
3 participants
Readme update for #850