From 5b0529952957838f65115b4df3e41a1c48bbada7 Mon Sep 17 00:00:00 2001
From: Ian Lewis <ianmlewis@gmail.com>
Date: Mon, 13 Mar 2023 00:31:15 +0000
Subject: [PATCH] Fix: Use attestation-name output

Fixes #978

Uses the `attestation-name` output from `generator_generic_slsa3.yml` to get the artifact name to download.

Also removes the `compile-generator` input as https://github.com/slsa-framework/slsa-github-generator/issues/1163 was fixed.

Signed-off-by: Ian Lewis <ianmlewis@gmail.com>
---
 .github/workflows/release.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 56e667269c..7a460ab2f9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -3,7 +3,7 @@ name: goreleaser
 on:
   push:
     tags:
-      - '*'
+      - '*':
 
 jobs:
   goreleaser:
@@ -66,7 +66,6 @@ jobs:
     with:
       base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
       upload-assets: true
-      compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163
 
   verification:
     needs: [goreleaser, provenance]
@@ -93,11 +92,12 @@ jobs:
       - name: Download assets
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PROVENANCE: "${{ needs.provenance.outputs.attestation-name }}"
         run: |
           set -euo pipefail
 
           gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
-          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "attestation.intoto.jsonl"
+          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE"
 
       - name: Verify assets
         env: