diff --git a/.github/workflows/generator_generic_slsa3.yml b/.github/workflows/generator_generic_slsa3.yml index a7ae79b38a..9741c90f7c 100644 --- a/.github/workflows/generator_generic_slsa3.yml +++ b/.github/workflows/generator_generic_slsa3.yml @@ -56,6 +56,10 @@ on: the assets. type: string default: "" + attestation-name: + description: "The artifact name of the signed provenance. The file must have the intoto.jsonl extension. Defaults to .intoto.jsonl for single artifact or multiple.intoto.jsonl for multiple artifacts. DEPRECATED: Use provenance-name instead." + required: false + type: string provenance-name: description: The artifact name of the signed provenance. The file must have the intoto.jsonl extension. Defaults to .intoto.jsonl for single artifact or multiple.intoto.jsonl for multiple artifacts. required: false @@ -94,6 +98,9 @@ on: Note: This value is non-empty only when a release asset is uploaded, according to the values of `upload-assets` and `upload-tag-name`. value: ${{ jobs.upload-assets.outputs.release-id }} + attestation-name: + description: "DEPRECATED: use the provenance-name output instead." + value: ${{ jobs.generator.outputs.provenance-name }} provenance-name: description: "The artifact name of the signed provenance. (A file with the intoto.jsonl extension)." value: ${{ jobs.generator.outputs.provenance-name }} @@ -219,11 +226,17 @@ jobs: env: GITHUB_CONTEXT: "${{ toJSON(github) }}" UNTRUSTED_PROVENANCE_NAME: "${{ inputs.provenance-name }}" + UNTRUSTED_DEPRECATED_ATTESTATION_NAME: "${{ inputs.attestation-name }}" run: | set -euo pipefail untrusted_prov_name="" if [ "$UNTRUSTED_PROVENANCE_NAME" != "" ]; then untrusted_prov_name="$UNTRUSTED_PROVENANCE_NAME" + else + if [ "$UNTRUSTED_DEPRECATED_ATTESTATION_NAME" != "" ]; then + echo "WARNING: deprecated attestation-name was used. Use provenance-name instead." + untrusted_prov_name="$UNTRUSTED_DEPRECATED_ATTESTATION_NAME" + fi fi # Create and sign provenance. # NOTE: The builder verifies that the provenance path is located diff --git a/CHANGELOG.md b/CHANGELOG.md index c110443668..68144da56c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,7 +10,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - [Unreleased](#unreleased) - - [Unreleased: Breaking Change: attestation-name Workflow Input and Output](#unreleased-breaking-change-attestation-name-workflow-input-and-output) - [Unreleased: Gradle Builder](#unreleased-gradle-builder) - [Unreleased: Go Builder](#unreleased-go-builder) - [Unreleased: Container Generator](#unreleased-container-generator) @@ -100,10 +99,6 @@ duplication." ## Unreleased -### Unreleased: Breaking Change: attestation-name Workflow Input and Output - -- `attestation-name` as a workflow input to `.github/workflows/generator_generic_slsa3.yml` is now removed. Use `provenance-name` instead. - ### Unreleased: Gradle Builder - The Gradle Builder was fixed when the project root is the same as the diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md index 7d77b5dede..1e809fff43 100644 --- a/internal/builders/generic/README.md +++ b/internal/builders/generic/README.md @@ -266,6 +266,7 @@ The [generic workflow](https://github.com/slsa-framework/slsa-github-generator/b | `upload-assets` | no | false | If true provenance is uploaded to a GitHub release for new tags. | | `upload-tag-name` | no | | If specified and `upload-assets` is set to true, the provenance will be uploaded to a Github release identified by the tag-name regardless of the triggering event. | | `provenance-name` | no | "(subject name).intoto.jsonl" if a single subject. "multiple.intoto.json" if multiple subjects. | The artifact name of the signed provenance. The file must have the `intoto.jsonl` extension. | +| `attestation-name` | no | "(subject name).intoto.jsonl" if a single subject. "multiple.intoto.json" if multiple subjects. | The artifact name of the signed provenance. The file must have the `intoto.jsonl` extension. DEPRECATED: use `provenance-name` instead. | | `private-repository` | no | false | Set to true to opt-in to posting to the public transparency log. Will generate an error if false for private repositories. This input has no effect for public repositories. See [Private Repositories](#private-repositories). | | `continue-on-error` | no | false | Set to true to ignore errors. This option is useful if you won't want a failure to fail your entire workflow. | | `draft-release` | no | false | If true, the release is created as a draft | @@ -277,6 +278,7 @@ The [generic workflow](https://github.com/slsa-framework/slsa-github-generator/b | Name | Description | | ------------------ | ----------------------------------------------------------------------------------------------- | | `provenance-name` | The artifact name of the signed provenance. | +| `attestation-name` | The artifact name of the signed provenance. DEPRECATED: use `provenance-name` instead. | | `outcome` | If `continue-on-error` is `true`, will contain the outcome of the run (`success` or `failure`). | ### Provenance Format