Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v0.13.0 release failed provenance validation #978

Closed
imjasonh opened this issue Mar 10, 2023 · 2 comments · Fixed by #980
Closed

v0.13.0 release failed provenance validation #978

imjasonh opened this issue Mar 10, 2023 · 2 comments · Fixed by #980

Comments

@imjasonh
Copy link
Member

The release workflow failed during verification: https://github.com/ko-build/ko/actions/runs/4386793516/jobs/7681560335

Looking at the release artifacts, here: https://github.com/ko-build/ko/releases/tag/v0.13.0

There's a multiple.intoto.jsonl uploaded by the provenance generation workflow, but the verification step seems to be looking for attestation.intoto.jsonl. Please let me know if this is a bug on ko's end, or if this is a misconfiguration, or a bug in the SLSA provenance generation.

cc @laurentsimon @ianlewis
@imjasonh imjasonh changed the title v0.13.0 release missing provenance attestation v0.13.0 release failed provenance validation Mar 10, 2023
ianlewis added a commit to ianlewis/ko that referenced this issue Mar 13, 2023
@ianlewis
Fix: Use attestation-name output
5b05299 
Fixes ko-build#978

Uses the `attestation-name` output from `generator_generic_slsa3.yml` to get the artifact name to download.

Also removes the `compile-generator` input as slsa-framework/slsa-github-generator#1163 was fixed.

Signed-off-by: Ian Lewis <[email protected]>
ianlewis added a commit to ianlewis/ko that referenced this issue Mar 13, 2023
@ianlewis
Fix: Use attestation-name output
7f8f336 
Fixes ko-build#978

Uses the `attestation-name` output from `generator_generic_slsa3.yml` to get the artifact name to download.

Also removes the `compile-generator` input as slsa-framework/slsa-github-generator#1163 was fixed.

Signed-off-by: Ian Lewis <[email protected]>
ianlewis added a commit to ianlewis/ko that referenced this issue Mar 13, 2023
@ianlewis
Fix: Use attestation-name output
5e6b5d7 
Fixes ko-build#978

Uses the `attestation-name` output from `generator_generic_slsa3.yml` to get the artifact name to download.

Also removes the `compile-generator` input as slsa-framework/slsa-github-generator#1163 was fixed.

Signed-off-by: Ian Lewis <[email protected]>
@ianlewis ianlewis mentioned this issue Mar 13, 2023
Merged
@ianlewis
Copy link

Apologies. It seems we updated the default name of the attestation artifact that gets uploaded. #980 addresses this by using the attestation-name output which gives the name of the artifact rather than using a static value.

@developer-guy
Copy link
Collaborator

Thanks for fixing this @ianlewis!

imjasonh pushed a commit that referenced this issue Mar 13, 2023
Fix: Use attestation-name output (#980)
2860fcf 
Fixes #978

Uses the `attestation-name` output from `generator_generic_slsa3.yml` to get the artifact name to download.

Also removes the `compile-generator` input as slsa-framework/slsa-github-generator#1163 was fixed.

Signed-off-by: Ian Lewis <[email protected]>
@imjasonh imjasonh mentioned this issue Mar 15, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: Use attestation-name output ianlewis/ko
3 participants
@ianlewis @imjasonh @developer-guy