mirror of
https://github.com/slsa-framework/slsa-verifier.git
synced 2026-05-07 00:56:39 +00:00
f315652a8c
This sets the expected sha256 of the v2.5.1 slsa-verifier released binary. How to LGTM this PR (I'll work on a proper doc for this in https://github.com/slsa-framework/slsa-github-generator/issues/112): 1. Download the binary and provenance from https://github.com/slsa-framework/slsa-verifier/releases/tag/v0.0.1 2. Clone the slsa-verifier repo, compile and verify the provenance using the steps described in https://github.com/slsa-framework/slsa-verifier/blob/main/RELEASE.md#verify-provenance ``` $ git clone git@github.com:slsa-framework/slsa-verifier.git $ cd slsa-verifier $ bash verify-release.sh v2.5.1 ``` The output hash should be the hash I'm updating to in this PR. If they match, LGTM. If they don't, someone tampered with the released binary and don't LGTM --------- Signed-off-by: laurentsimon <laurentsimon@google.com>
slsa-verifier setup GitHub Action
This action installs the SLSA verifier and adds it to your PATH.
For more information about slsa-verifier, refer to its documentation.
For more information about SLSA in general, see https://slsa.dev.
Usage
To install a specific version of slsa-verifier, use:
uses: slsa-framework/slsa-verifier/actions/installer@v2.5.1
See https://github.com/slsa-framework/slsa-verifier/releases for the list of available slsa-verifier releases. Only versions greater or equal to 2.0.1 are supported.
This action requires using GitHub-provided Linux runners.