@@ -105,55 +105,55 @@ jobs:
105105 fi
106106 echo "hashes=$hashes" >> $GITHUB_OUTPUT
107107
108- provenance :
109- name : Generate provenance (SLSA3)
110- needs :
111- - release
112- permissions :
113- actions : read # To read the workflow path.
114- id-token : write # To sign the provenance.
115- contents : write # To add assets to a release.
116- uses :
slsa-framework/slsa-github-generator/.github/workflows/[email protected] 117- with :
118- base64-subjects : " ${{ needs.release.outputs.hashes }}"
119- upload-assets : true # upload to a new release
108+ # provenance:
109+ # name: Generate provenance (SLSA3)
110+ # needs:
111+ # - release
112+ # permissions:
113+ # actions: read # To read the workflow path.
114+ # id-token: write # To sign the provenance.
115+ # contents: write # To add assets to a release.
116+ # uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] 117+ # with:
118+ # base64-subjects: "${{ needs.release.outputs.hashes }}"
119+ # upload-assets: true # upload to a new release
120120
121- verification :
122- name : Verify provenance of assets (SLSA3)
123- needs :
124- - release
125- - provenance
126- runs-on : ubuntu-latest
127- permissions : read-all
128- steps :
129- - name : Install the SLSA verifier
130- uses : slsa-framework/slsa-verifier/actions/installer@3714a2a4684014deb874a0e737dffa0ee02dd647 # v2.6.0
131- - name : Download assets
132- env :
133- GH_TOKEN : " ${{ secrets.GITHUB_TOKEN }}"
134- CHECKSUMS : " ${{ needs.release.outputs.hashes }}"
135- ATT_FILE_NAME : " ${{ needs.provenance.outputs.provenance-name }}"
136- run : |
137- set -euo pipefail
138- checksums=$(echo "$CHECKSUMS" | base64 -d)
139- while read -r line; do
140- fn=$(echo $line | cut -d ' ' -f2)
141- echo "Downloading $fn"
142- gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$fn"
143- done <<<"$checksums"
144- gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME"
145- name : Verify assets
146- env :
147- CHECKSUMS : " ${{ needs.release.outputs.hashes }}"
148- PROVENANCE : " ${{ needs.provenance.outputs.provenance-name }}"
149- run : |
150- set -euo pipefail
151- checksums=$(echo "$CHECKSUMS" | base64 -d)
152- while read -r line; do
153- fn=$(echo $line | cut -d ' ' -f2)
154- echo "Verifying SLSA provenance for $fn"
155- slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
156- --source-uri "github.com/$GITHUB_REPOSITORY" \
157- --source-tag "$GITHUB_REF_NAME" \
158- "$fn"
159- done <<<"$checksums"
121+ # verification:
122+ # name: Verify provenance of assets (SLSA3)
123+ # needs:
124+ # - release
125+ # - provenance
126+ # runs-on: ubuntu-latest
127+ # permissions: read-all
128+ # steps:
129+ # - name: Install the SLSA verifier
130+ # uses: slsa-framework/slsa-verifier/actions/installer@3714a2a4684014deb874a0e737dffa0ee02dd647 # v2.6.0
131+ # - name: Download assets
132+ # env:
133+ # GH_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
134+ # CHECKSUMS: "${{ needs.release.outputs.hashes }}"
135+ # ATT_FILE_NAME: "${{ needs.provenance.outputs.provenance-name }}"
136+ # run: |
137+ # set -euo pipefail
138+ # checksums=$(echo "$CHECKSUMS" | base64 -d)
139+ # while read -r line; do
140+ # fn=$(echo $line | cut -d ' ' -f2)
141+ # echo "Downloading $fn"
142+ # gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$fn"
143+ # done <<<"$checksums"
144+ # gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME"
145+ # - name: Verify assets
146+ # env:
147+ # CHECKSUMS: "${{ needs.release.outputs.hashes }}"
148+ # PROVENANCE: "${{ needs.provenance.outputs.provenance-name }}"
149+ # run: |
150+ # set -euo pipefail
151+ # checksums=$(echo "$CHECKSUMS" | base64 -d)
152+ # while read -r line; do
153+ # fn=$(echo $line | cut -d ' ' -f2)
154+ # echo "Verifying SLSA provenance for $fn"
155+ # slsa-verifier verify-artifact --provenance-path "$PROVENANCE" \
156+ # --source-uri "github.com/$GITHUB_REPOSITORY" \
157+ # --source-tag "$GITHUB_REF_NAME" \
158+ # "$fn"
159+ # done <<<"$checksums"
0 commit comments