diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md index d21c7bd1e9..67c1ad4b7b 100644 --- a/internal/builders/generic/README.md +++ b/internal/builders/generic/README.md @@ -31,6 +31,7 @@ project simply generates provenance as a separate step in an existing workflow. - [Provenance for Java](#provenance-for-java) - [Provenance for Rust](#provenance-for-rust) - [Provenance for Haskell](#provenance-for-haskell) +- [Known Issues](#known-issues) --- @@ -77,7 +78,7 @@ provenance: actions: read # Needed for detection of GitHub Actions environment. id-token: write # Needed for provenance signing and ID contents: write # Needed for release uploads - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.1 with: base64-subjects: "${{ needs.build.outputs.hashes }}" ``` @@ -134,7 +135,7 @@ jobs: actions: read id-token: write contents: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0 + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.1 with: base64-subjects: "${{ needs.build.outputs.hashes }}" # Upload provenance to a new release @@ -892,3 +893,32 @@ jobs: base64-subjects: "${{ needs.build.outputs.hashes }}" upload-assets: true # Optional: Upload to a new release ``` + +## Known Issues + +### error updating to TUF remote mirror: tuf: invalid key + +**Affected versions:** v1.2.x + +Workflows are currently failing with the error: + +``` +validating log entry: unable to fetch Rekor public keys from TUF repository, and not trusting the Rekor API for fetching public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key +``` + +This issue is currently tracked by [issue #1163](https://github.com/slsa-framework/slsa-github-generator/issues/1163) + +You can work around this error by setting `compile-generator` input flag. + +```yaml +with: + compile-generator: true +``` + +This will compile the generator binary used by the workflow instead of +downloading the latest release. Make sure you continue to reference the workflow +using a release tag in order to allow verification by `slsa-verifier`. + +```yaml +uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.1 +``` diff --git a/internal/builders/go/README.md b/internal/builders/go/README.md index b50165b273..4c4b4d5fa3 100644 --- a/internal/builders/go/README.md +++ b/internal/builders/go/README.md @@ -14,6 +14,7 @@ This document explains how to use the builder for [Go](https://go.dev/) projects - [Workflow Example](#workflow-example) - [Provenance Example](#provenance-example) - [BuildConfig Format](#buildconfig-format) + - [Known Issues](#known-issues) --- @@ -114,7 +115,7 @@ In the meantime, you can use both GoReleaser and this builder in the same reposi ```yaml builds: ---- +# ... goos: - windows - linux @@ -201,7 +202,7 @@ jobs: contents: write # To upload assets to release. actions: read # To read the workflow path. needs: args - uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.1.1 + uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1 with: go-version: 1.17 # Optional: only needed if using ldflags. @@ -343,3 +344,32 @@ The `BuildConfig` contains the following fields: ```json "workingDir": "/home/runner/work/ianlewis/actions-test" ``` + +## Known Issues + +### error updating to TUF remote mirror: tuf: invalid key + +**Affected versions:** v1.2.x + +Workflows are currently failing with the error: + +``` +validating log entry: unable to fetch Rekor public keys from TUF repository, and not trusting the Rekor API for fetching public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key +``` + +This issue is currently tracked by [issue #1163](https://github.com/slsa-framework/slsa-github-generator/issues/1163) + +You can work around this error by setting `compile-builder` input flag. + +```yaml +with: + compile-builder: true +``` + +This will compile the builder binary used by the workflow instead of downloading +the latest release. Make sure you continue to reference the workflow using a +release tag in order to allow verification by `slsa-verifier`. + +```yaml +uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.1 +```