From 574756259206c104bec644ce730a7095e1eb2d50 Mon Sep 17 00:00:00 2001
From: Diogo Teles Sant'Anna <diogoteles08@gmail.com>
Date: Wed, 28 Sep 2022 13:24:24 -0300
Subject: [PATCH] docs: explain why not using hash pinning in a GHA

Because of a demand of SLSA Generator, their action cannot be used through pinned hashing. As using tags goes agains the best practices, I'm letting explicit the reason why we are using them.

Signed-off-by: Diogo Teles Sant'Anna <diogoteles08@gmail.com>
---
 .github/workflows/release.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b7149a7a0..62e090d35 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -86,6 +86,8 @@ jobs:
       actions: read   # To read the workflow path.
       id-token: write # To sign the provenance.
       contents: write # To add assets to a release.
+    # Currently this action needs to be referred by tag. More details at:
+    # https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
     with:
       attestation-name: provenance-sigstore-${{ github.event.release.tag_name }}.intoto.jsonl