Closed saisatishkarra closed 5 months ago
Refer comment and description before merging for the UX
@ianlewis / @laurentsimon added a VerifyImageProvenanceRepo
function for verifier interface
GHA implementation of the new function overrides the cosign opts with provided input and backwards compatible for verifyImage()
GCB implementation of the new function VerifyImageProvenanceRepo
calls back the verifyImage()
internally and ignores the passed provenanceRepository argument.
LMK what you folks think!!
@laurentsimon can you review these changes again pls?
Let's update the example-package workfow next?
I also created https://github.com/slsa-framework/slsa-github-generator/issues/3095 which should be a simple change
Thanks again for the hard work.
@laurentsimon Added a new image verification cmd input
--provenance-repository
This replicates the feature of theCOSIGN_REPOSITORY
environment variable when provenance is stored in a different repository/registryOrder of precedence:
--provenance-repository
is set, leverages the non-empty input valueCOSIGN_REPOSITORY
is set, it is NOT consumedREADME edit : https://github.com/slsa-framework/slsa-verifier/pull/736/files#diff-b335630551682c19a781afebcf4d07bf978fb1f8ac04c6bf87428ed5106870f5R280