mirror of
https://github.com/slsa-framework/slsa-verifier.git
synced 2026-05-13 03:57:11 +00:00
d23c97947e
How to LGTM this PR (I'll work on a proper doc for this in https://github.com/slsa-framework/slsa-github-generator/issues/112): 1. Clone repo ``` $ git clone git@github.com:slsa-framework/slsa-verifier.git $ cd slsa-verifier $ bash verify-release.sh v2.4.0 # NOTE: use the file in _this_ PR. # Note down the path to the temporary dir use. The bash script will print its first line as "INFO: using dir: /tmp/tmp.VaYi6HfbmL" ``` 2. Run command below and compare to SHA256SUM.md in this PR ``` $sha256sum /tmp/tmp.VaYi6HfbmL/* ``` The output hash should be the hash I'm updating to in this PR. If they match, LGTM. If they don't, someone tampered with the released binary and don't LGTM --------- Signed-off-by: laurentsimon <laurentsimon@google.com>
707 B
707 B
slsa-verifier setup GitHub Action
This action installs the SLSA verifier and adds it to your PATH.
For more information about slsa-verifier, refer to its documentation.
For more information about SLSA in general, see https://slsa.dev.
Usage
To install a specific version of slsa-verifier, use:
uses: slsa-framework/slsa-verifier/actions/installer@v2.4.0
See https://github.com/slsa-framework/slsa-verifier/releases for the list of available slsa-verifier releases. Only versions greater or equal to 2.0.1 are supported.
This action requires using GitHub-provided Linux runners.