Skip to content

Commit

Permalink
build: updating provenance generation for manual-publish workflows
Browse files Browse the repository at this point in the history
  • Loading branch information
@rsoberano-ld
rsoberano-ld committed Jan 27, 2024
1 parent 84d1413 commit 834a09f
Show file tree
Hide file tree
Showing 2 changed files with 2 additions and 6 deletions.
4 changes: 1 addition & 3 deletions .github/workflows/manual-publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -50,6 +50,4 @@ jobs:
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.7.0
with:
base64-subjects: "${{ needs.build-publish.outputs.package-hashes }}"
upload-assets: true
upload-tag-name: TBD

upload-assets: ${{ !inputs.dry_run }}
4 changes: 1 addition & 3 deletions PROVENANCE.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,10 +17,8 @@ $ curl --location -O \
# Run slsa-verifier to verify provenance against package artifacts
$ slsa-verifier verify-artifact \
--provenance-path multiple-provenance.intoto.jsonl \
--source-uri github.com/launchdarkly/launchdarkly-server-sdk \
--source-uri github.com/launchdarkly/python-server-sdk \
launchdarkly_server_sdk-VERSION-py3-none-any.whl
TBD OUTPUT
```

Alternatively, to verify the provenance manually, the SLSA framework specifies [recommendations for verifying build artifacts](https://slsa.dev/spec/v1.0/verifying-artifacts) in their documentation.
Expand Down

0 comments on commit 834a09f

Please sign in to comment.