example-package
example-package copied to clipboard
slsa-framework
This is most likely due to rate limits on the `GITHUB_TOKEN`. We use both the `GITHUB_TOKEN` and PAT tokens for different things but perhaps we should use PAT tokens a...
I'd like to have a section in the top level README that showed status badges for workflows so you can tell at a glance which are succeeding and failing. Unfortunately...
Most tag workflows are triggered on all semver tags and quickly terminate because the tags major version does not match the version set in `DEFAULT_VERSION`. We can update the workflow's...
Example run for [e2e.go.tag.main.config-ldflags-assets-draft-tag.slsa3.yml](https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.tag.main.config-ldflags-assets-draft-tag.slsa3.yml) https://github.com/slsa-framework/example-package/actions/runs/4859360380/jobs/8661971560 ``` **** Wrong raw builder.id ***** FAILED: SLSA verification failed: open binary-linux-amd64-v37.0.3a: no such file or directory ```
I would like to update tests that are supposed to fail to be marked as succeeded workflows. This is so we can easily look at the list of workflow runs...
This function has a lot of special casing for each builder and is getting pretty hard to edit. We should either break up the function per builder or by verifier...
Let's update https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.generic.slsa2.yml to follow the same structure as https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.go.schedule.main.slsa3.yml Feel free to comment how to improve the current setup. @ianlewis do you want to take a stab at it?
Instead of using curl, we could use the gh CLI `gh api -H "Accept: application/vnd.github.v3+json"...`
There is a lot of redundant code in e2e tests that we may be able to get rid of by creating reusable GitHub actions
We should move to using GitHub App tokens owned by the slsa-framework org for this repo rather than using personal access tokens.