feat: testing mode from non-main slsa-framework/slsa-github-generator branches
Allow verifying provenances from the slsa-framework/slsa-github-generator branches. This is useful during in development.
We could also allow the tester to customize the repo, to perhaps their own fork. example:
SLSA_VERIFIER_TESTING_ALTERNATE_SOURCE_REPO="ramonpetgrave64/slsa-verifier" \
go run . verify-artifact ...
Testing
- Added unit tests
- manually invoking against provenance and artifacts from a test workflow run
- https://github.com/slsa-framework/slsa-github-generator/actions/runs/10308515370
- also verifying within the same workflow
- https://github.com/slsa-framework/slsa-github-generator/actions/runs/10308515370/job/28536184530#step:6:1
@ianlewis @laurentsimon
Is this to support running slsa-verifier in slsa-github-generator pre-submits? I kind of thought we did this already but maybe I'm misremembering?
@ianlewis not for pre-submits, or pull_request events, but for push events, since id-token isn't available for PRs. And so far it seems not yet nresolved.
- https://github.com/slsa-framework/slsa-github-generator/issues/131
So I might be testing changes on a separate branch "ramoneptgrave64-my-tests" that exists on the slsa-framework/slsa-github-generator repo.
Additional discussion, considering using an alternative identity token within PRs
- https://github.com/slsa-framework/slsa-github-generator/pull/3777#discussion_r1795254767