[GCB] Improve GCB verification tracking issue

[asraa]

trafficstars

This issue tracks action items left for GCB verification support.

Currently, the workflows run on two schedules, a biweekly one and a daily one. The biweekly one triggers a build, while the daily one retrieves the latest build from that image and verifies it.

• [ ] Add freshness check on build - in case the builds fail, detect that from the verifiers
• [ ] Add provenance content verification to the payload: https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e.gcb.default.verify.sh#L19
• [ ] Investigate 1st generation and 2nd generation repository generation
• [ ] Add non-annotated tag push.

Currently, we test:

• Annotated Tag push
• Push to main

Things to note:

• We cannot test branch or tag options in the slsa-verifier for GCB - we only test that we can verify these triggers - so there doesn't seem to be a point in testing branch1. Tag verification is skipped because we aren't verifying on GITHUB_REF_TYPE tag (we build on tag, but verify on daily schedule)
• Some workflows do not rebuilds on workflow_dispatch to prevent overbuilding. Consider an input here, like this - on the other hand, you can manually trigger builds by clicking RUN on the trigger page
• Only push to branch and tag are supported for GitHub repository triggers in GCB.

cc @laurentsimon @ianlewis

[laurentsimon]

Do you know what 1st vs 2nd source generation is?

[asraa]

Do you know what 1st vs 2nd source generation is?

Not really, there are some docs. https://cloud.google.com/build/docs/repositories

It seems like its more about the way that the connection is done (through GitHub Apps or auth?)