netomi
commented
12 months ago I did some tests using the jreleaser action to include provenance (https://github.com/jreleaser/release-action/tree/java#slsa-builder).
However this does not work as intended: https://github.com/OtterdogTest/macos-notarization-service/actions/runs/6146753636
This whole BYOB framework from the slsa generator still feels very alpha.
Will resort for the traditional generic builder utilizing the existing release-drafter config instead of jreleaser.
The release process should be automated, e.g. using jreleaser and also include a slsa provenance for the build artifact to be able to verify binaries prior to installation.