Update SLSA generator workflow to v1.2.2 (#5323)

* Update SLSA generator workflow to v1.2.2 Signed-off-by: Ian Lewis <ianlewis@google.com> * Allow slsa-github-generator workflows to use tags Signed-off-by: Ian Lewis <ianlewis@google.com> Signed-off-by: Ian Lewis <ianlewis@google.com>
2025-03-28 10:28:36 +00:00 · 2022-11-15 15:08:09 +09:00 · 2022-11-15 15:08:09 +09:00 · d52c287cb0
commit d52c287cb0
parent 75080d297e
2 changed files with 13 additions and 11 deletions
--- a/.github/workflows/image.yaml
+++ b/.github/workflows/image.yaml
@ -47,13 +47,12 @@ jobs:
      id-token: write # To sign the provenance.
      packages: write # To upload assets to release.
      actions: read #To read the workflow path.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@9dc6318aedc3d24ede4e946966d30c752769a4f9
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.2.2
    with:
      image: ghcr.io/${{ github.repository_owner }}/kyvernopre
      digest: "${{ needs.push-init-kyverno.outputs.init_sha256_digest }}"
      registry-username: ${{ github.actor }}
-    # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
-      compile-generator: true
    secrets:
      registry-password: ${{ secrets.CR_PAT }}

@ -63,28 +62,26 @@ jobs:
      id-token: write # To sign the provenance.
      packages: write # To upload assets to release.
      actions: read #To read the workflow path.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@9dc6318aedc3d24ede4e946966d30c752769a4f9
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.2.2
    with:
      image: ghcr.io/${{ github.repository_owner }}/kyverno
      digest: "${{ needs.push-kyverno.outputs.kyverno_sha256_digest }}"
      registry-username: ${{ github.actor }}
-    # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
-      compile-generator: true
    secrets:
      registry-password: ${{ secrets.CR_PAT }}
-      
+
  generate-kyverno-cli-provenance:
    needs: push-kyverno-cli
    permissions:
      id-token: write # To sign the provenance.
      packages: write # To upload assets to release.
      actions: read #To read the workflow path.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@9dc6318aedc3d24ede4e946966d30c752769a4f9
+    # NOTE: The container generator workflow is not officially released as GA.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.2.2
    with:
      image: ghcr.io/${{ github.repository_owner }}/kyverno-cli
      digest: "${{ needs.push-kyverno-cli.outputs.cli_sha256_digest }}"
      registry-username: ${{ github.actor }}
-    # TODO(https://github.com/slsa-framework/slsa-github-generator/issues/492): Remove after GA release.
-      compile-generator: true
    secrets:
-      registry-password: ${{ secrets.CR_PAT }}
+      registry-password: ${{ secrets.CR_PAT }}
--- a/.github/workflows/tests.yaml
+++ b/.github/workflows/tests.yaml
@ -27,6 +27,11 @@ jobs:
      # see https://michaelheap.com/ensure-github-actions-pinned-sha/
      - name: Ensure SHA pinned actions
        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@6ca5574367befbc9efdb2fa25978084159c5902d # pin@v1.3.0
+        with:
+          # slsa-github-generator requires using a semver tag for reusable workflows. 
+          # See: https://github.com/slsa-framework/slsa-github-generator#referencing-slsa-builders-and-generators
+          allowlist: |
+            slsa-framework/slsa-github-generator

      - name: Setup go
        uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # pin@v3