slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard
verified publisher icon slsa-framework

[bug] generator_generic_slsa3.yml upload-assets creates duplicate draft release

Open bradh352 opened this issue 1 year ago • 2 comments

Describe the bug We are using generator_generic_slsa3.yml to generate SLSA3 for the c-ares project and just had our first release using it. We generate the release and upload the tarball using softprops/action-gh-release@v2 and mark the release as a draft. We then go through the provenance and it generates another draft of the release with the same name instead of uploading it to the existing draft with the name.

I have not attempted to allow it to use a non-draft release for both steps of the process, mainly because I must come back and PGP sign the tarball that is generated and upload that signature and want to wait to turn off the draft status until that is done. So maybe this is a draft-related issue.

To Reproduce

See workflow https://github.com/c-ares/c-ares/blob/v1.34.3/.github/workflows/package.yml

Expected behavior Expected that the generated .intoto.jsonl file be uploaded to the existing draft release.

bradh352 avatar Nov 09 '24 17:11 bradh352