[docs][byob] Include information about needed BYOB builder-id input in README

[enteraga6]

closes #656

[laurentsimon]

most folks that validate provenance won't know about BYOB. Maybe this should be part of the BYOB.md doc in the generator repo instead? But I see that's it's strange that some builders hosted on our repo still require it and some don't. Maybe we need to fix that in the code, ie if the builder is hosted on the generator repo, then it remains optional. Wdut?

[enteraga6]

Maybe this should be part of the BYOB.md doc in the generator repo instead?

I think we still fall into the same problem then. If most that validate do not know about BYOB then including it in BYOB.md won't help most. I think adding the caveat in BYOB.md helps a bit at least.

Maybe we need to fix that in the code, ie if the builder is hosted on the generator repo, then it remains optional.

I agree. I think this is the best course of action. When it fails on BYOB generated artifacts, slsa-verifier is able to locate what the correct builderID is:

FAILED: SLSA verification failed: builderID does not match provenance: expected name 'https://github.com/enteraga6/slsa-github-generator/.github/workflows/builder_bazel_slsa3.yml', got 'https://github.com/slsa-framework/slsa-github-generator/.github/workflows/delegator_lowperms-generic_slsa3.yml'

Making it remain optional would work by implicitly loading the builderID flag if it can auto-detect that the builder is from slsa-github-generator. This would solve pain from users who just want to verify the provenance but do not care to learn about BYOB vs native, and make the process smoother.

[enteraga6]

pull request closed - check out comments on #656