-
Notifications
You must be signed in to change notification settings - Fork 482
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
scorecard_4.5.0_linux_amd64.tar.gz wasn't released #2118
Comments
https://github.com/ossf/scorecard/runs/7638647801?check_suite_focus=true Lines 31 to 34 in 3b7c46f
3b7c46f#diff-42e26dc67aed8aa3edb2472b4403288c1699fb6dc47419b9a475f0f224fe4689L32 |
Oh, this change seems to be intentional. |
$ slsa-verifier --artifact-path scorecard-linux-amd64 \
--provenance scorecard-linux-amd64.intoto.jsonl \
--source github.com/ossf/scorecard \
--tag v4.5.0
2022/08/03 04:10:35 open scorecard-linux-amd64: no such file or directory |
CI failed.
The latest version of slsa-framework/slsa-github-generator is v1.2.0 |
@laurentsimon fyi. |
Thanks. Sigstore made a breaking change which breaks every existing builder (sigstore/cosign#2121). Sorry about that. Working on backporting some fixes to the older builders ... |
Now it is released https://github.com/ossf/scorecard/releases/tag/v4.6.0 It would be fun to simulate an attack and catch it via your automated CI. Feel free to reach out if you're interested. |
Thank you for your great project!
I found scorecard_4.5.0_linux_amd64.tar.gz wasn't released.
https://github.com/ossf/scorecard/releases/tag/v4.5.0
On the other hand, scorecard_4.4.0_linux_amd64.tar.gz was released.
https://github.com/ossf/scorecard/releases/tag/v4.4.0
Could you release scorecard_4.5.0_linux_amd64.tar.gz?
Thank you.
The text was updated successfully, but these errors were encountered: