[flake] slsa-verifier: command not found

[ianlewis]

Tests often fail with the following error. This seems to be due to go install failing to install the verifier binary. When re-run the tests typically pass.

  **** Provenance content verification *****
/home/runner/work/example-package/example-package
Checking dist-tag: 0.0.11 == 0.0.11
go: downloading github.com/slsa-framework/slsa-verifier v1.4.2-0.20221130213533-128324f48837
go: github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@main: module github.com/slsa-framework/slsa-verifier@main found (v1.4.2-0.20221130213533-128324f48837), but does not contain package github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier
**** Verifying provenance authenticity with verifier at HEAD *****
Testing against builder args
  **** Default parameters (annotated tags) *****
slsa-verifier verify-npm-package /tmp/tmp.Z5PqCPjHcj --builder-id=https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml@refs/heads/main --attestations-path /tmp/tmp.OJwnYDZlNq --package-name @slsa-framework/e2e-nodejs-push-main-disttag-slsa3 --package-version 0.0.11 --source-uri github.com/slsa-framework/example-package
./.github/workflows/scripts/e2e-verify.common.sh: line 306: slsa-verifier: command not found

Example run: https://github.com/slsa-framework/example-package/actions/runs/5233921111/attempts/1

[laurentsimon]

yeah it's really strange. it happens regularly too...

[ianlewis]

Yeah, I'm not sure what it is. It's just a regular go install command and it seems to fail randomly. Not just when we change something.

[ianlewis]

For some reason it's trying to download slsa-verifier at tag 1.4.2 rather than the latest which is v2.3.0. Also, v1.4.2 doesn't exist: https://github.com/slsa-framework/slsa-verifier/releases/tag/v1.4.2