updates

ossf · Jun 7, 2022 · 75053cd · 75053cd
1 parent a39cfc2
commit 75053cd
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 7 deletions.
diff --git a/.github/workflows/slsa-goreleaser.yml b/.github/workflows/slsa-goreleaser.yml
@@ -1,4 +1,4 @@
-name: Test SLSA
+name: SLSA releaser
 on:
   workflow_dispatch:
   push:
@@ -26,10 +26,10 @@ jobs:
   build:
     permissions:
       id-token: write
-      contents: read
+      contents: write
       actions: read
     needs: args
-    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v0.0.2
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.0.0
     with:
       go-version: 1.17
-      evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
+      evaluated-envs: "VERSION_LDFLAGS:${{needs.args.outputs.ldflags}}"
diff --git a/.slsa-goreleaser.yml b/.slsa-goreleaser.yml
@@ -10,6 +10,6 @@ flags:
 
 goos: linux
 goarch: amd64
-binary: scorecard-{{ .OS }}-{{ .Arch }}
+binary: scorecard-{{ .Os }}-{{ .Arch }}
 ldflags:
-  - -s {{ .Env.VERSION_LDFLAGS }}
+  - -s {{ .Env.VERSION_LDFLAGS }}
diff --git a/README.md b/README.md
@@ -148,8 +148,13 @@ To install Scorecards as a standalone:
 
 1.  Visit our latest
     [release page](https://github.com/ossf/scorecard/releases/latest) and
-    download the correct binary for your operating system
+    download the correct binary for your operating system 
 2.  Extract the binary file
+3.  We are proud to be one of the the first repositories to generate non-forgeable SLSA3 provenance natively using the OSSF [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) project for our linux amd64 binary. If you use this binary, you can verify it by installing the [slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier#download-the-binary) and running:
+```
+$ ./slsa-verifier-linux-amd64 --artifact-path scorecard-linux-amd64 --provenance scorecard-linux-amd64.intoto.jsonl --source github.com/ossf/scorecard
+```
+This guarantees that the binary you downloaded was generated using the source code of this repository. If you're interested in reading more about SLSA, visit [slsa.dev](slsa.dev).
 3.  Add the binary to your `GOPATH/bin` directory (use `go env GOPATH` to
     identify your directory if necessary)