The client, server, and server-redis provenance generation workflows each create a {windows,linux,macos}-multile-provenance.intoto.jsonl file that gets uploaded to the respective tagged releases. However, in an intermediate step, these files are temporarily uploaded to the workflow workspace that's shared between all three release types. Very occasionally, a race condition happens where one release type will overwrite the provenance file for the other release type before it's able to download it and upload it to the appropriate tagged release, which results in a SLSA verification error.
This quick fix to prefix the provenance files with the release type should remove this overlap/conflict/race condition.
The
client,server, andserver-redisprovenance generation workflows each create a{windows,linux,macos}-multile-provenance.intoto.jsonlfile that gets uploaded to the respective tagged releases. However, in an intermediate step, these files are temporarily uploaded to the workflow workspace that's shared between all three release types. Very occasionally, a race condition happens where one release type will overwrite the provenance file for the other release type before it's able to download it and upload it to the appropriate tagged release, which results in a SLSA verification error.This quick fix to prefix the provenance files with the release type should remove this overlap/conflict/race condition.