example-package
example-package copied to clipboard
slsa-framework
We currently only verify at HEAD https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e.gcb.default.verify.sh#L17
Stagger tests more to mitigate rate limit errors
With attached provenance, testing CLI verification with a container with bad provenance attached is difficult. See https://github.com/slsa-framework/example-package/pull/104#discussion_r971338634 We can manipulate the container with cosign/crane, but cannot do this in the...
**Describe the bug** _I know this is an example repository, but if we are expecting people to install on their own systems, we should try to follow security best practices...
I added https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml temporarily to test verification of multiple subjects. It currently calls the verification scripts 3 times, meaning that it compiles the verifier 3 times. We need to update...
My PAT is being rate-limited. (it's also used for scorecard weekly cron). We need some more donation. We could have a GENERIC_BLAZE_TOKEN, GENERIC_TOKEN, etc from different people /cc @ianlewis @asraa
We need to share the scripts between the main repo and this one to avoid wasting time updating each independently. See https://github.com/slsa-framework/slsa-github-generator/issues/26
If the path or names of inputs to the reusable workflow are not correct then the e2e test workflow doesn't run at all and doesn't create GitHub issues. We need...
We need to use personal access tokens for some actions in e2e tests. We should document what those actions are and what scopes the PAT needs to have, and how...
We have default `DEFAULT_VERSION` used in workflows that release. We need to validate there are unique to each workflow.