Use SLSA publish action to include verified build information

[weswigham]

Fixes #210

cc @ianlewis if this looks about right to you - obviously aren't really able to test this completely outside of an actual github action.

[weswigham]

@ianlewis you mean you wanna recommend something like what I have now, going forward, for the install & test phases or a build, rather than using the run-scripts argument to the builder?

[ianlewis]

@ianlewis you mean you wanna recommend something like what I have now, going forward, for the install & test phases or a build, rather than using the run-scripts argument to the builder?

tbh, It's not a big deal either way. You could do it the way you have it for convenience's sake if that makes sense for you. There just isn't really a specific reason to run the tests in the builder.

[jakebailey]

I tested this out on hereby as a low-risk test before we do this to critical packages, and unfortunately it didn't seem to work: https://github.com/jakebailey/hereby/actions/runs/5483129736/jobs/9989176122#step:11:404

[ianlewis]

I tested this out on hereby as a low-risk test before we do this to critical packages, and unfortunately it didn't seem to work: https://github.com/jakebailey/hereby/actions/runs/5483129736/jobs/9989176122#step:11:404

Yes, this is a bug. Will fix ASAP. https://github.com/slsa-framework/slsa-github-generator/issues/2359

[jakebailey]

With 1.8.0 out, I got my first working SLSA level 3 build: https://github.com/jakebailey/hereby/actions/runs/5768389689

Feel free to copy my (now working) pipeline for this, though we'll have to get it into everyone's heads to stop doing local releases 😄

[ianlewis]

With 1.8.0 out, I got my first working SLSA level 3 build: https://github.com/jakebailey/hereby/actions/runs/5768389689

Feel free to copy my (now working) pipeline for this, though we'll have to get it into everyone's heads to stop doing local releases 😄

Thanks! I'm glad things are working for you now. Hopefully v1.8.0 allows us to move forward.