Skip to content

Commit

Permalink
fix the release workflow and install instructions
Browse files Browse the repository at this point in the history
Signed-off-by: Batuhan Apaydin <batuhan.apaydin@chainguard.dev>
  • Loading branch information
developer-guy committed Sep 14, 2023
1 parent 29d66fd commit 842e297
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 4 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@ jobs:
with:
base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
upload-assets: true
upload-tag-name: "${{ needs.release.outputs.tag_name }}"
upload-tag-name: "${{ needs.goreleaser.outputs.tag_name }}"

verification:
needs:
Expand Down
12 changes: 9 additions & 3 deletions docs/install.md
Original file line number Diff line number Diff line change
Expand Up @@ -13,9 +13,15 @@ We generate [SLSA3 provenance](https://slsa.dev) using the OpenSSF's [slsa-frame

```shell
$ curl -sSfL "https://github.com/ko-build/ko/releases/download/v${VERSION}/ko_${VERSION}_${OS}_${ARCH}.tar.gz" > ko.tar.gz
$ curl -sSfL https://github.com/ko-build/ko/releases/download/v${VERSION}/attestation.intoto.jsonl > provenance.intoto.jsonl
$ slsa-verifier -artifact-path ko.tar.gz -provenance provenance.intoto.jsonl -source github.com/google/ko -tag "v${VERSION}"
PASSED: Verified SLSA provenance
$ curl -sSfL https://github.com/ko-build/ko/releases/download/v${VERSION}/multiple.intoto.jsonl > multiple.intoto.jsonl
$ slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl --source-uri github.com/ko-build/ko --source-tag "v${VERSION}" ko.tar.gz
Verified signature against tlog entry index 24413745 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77ab97a5263b5fa8f35789618348a39358b1f9470b0c31045ef
fbbe5e23e77a5836
Verified build using builder https://git.luolix.topslsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@refs/tags/v1.7.0 at commit 200db7243f02b5
c0303e21d8ab8e3b4ad3a229d0
Verifying artifact ko.tar.gz: PASSED

PASSED: Verified SLSA provenance
```

```shell
Expand Down

0 comments on commit 842e297

Please sign in to comment.