Fix: Use attestation-name output

Fixes ko-build#978 Uses the `attestation-name` output from `generator_generic_slsa3.yml` to get the artifact name to download. Also removes the `compile-generator` input as slsa-framework/slsa-github-generator#1163 was fixed. Signed-off-by: Ian Lewis <ianmlewis@gmail.com>
ianlewis · Mar 13, 2023 · 5e6b5d7 · 5e6b5d7
1 parent e22e7a1
commit 5e6b5d7
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -66,7 +66,6 @@ jobs:
     with:
       base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
       upload-assets: true
-      compile-generator: true # Workaround for https://github.com/slsa-framework/slsa-github-generator/issues/1163
 
   verification:
     needs: [goreleaser, provenance]
@@ -93,11 +92,12 @@ jobs:
       - name: Download assets
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PROVENANCE: "${{ needs.provenance.outputs.attestation-name }}"
         run: |
           set -euo pipefail
 
           gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
-          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "attestation.intoto.jsonl"
+          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE"
 
       - name: Verify assets
         env: