Doc updates (slsa-framework#359)

Ian Lewis · joshuagl · web-flow · commit 043b978dbee3 · 2022-06-20T19:17:07.000+09:00
* Golang -&gt; Go

* Formatting and supported triggers section

* Some changes to supported triggers

* Update internal/builders/go/README.md

Co-authored-by: Joshua Lock &lt;jlock@vmware.com&gt;

* Update internal/builders/go/README.md

Co-authored-by: Joshua Lock &lt;jlock@vmware.com&gt;

Co-authored-by: Joshua Lock &lt;jlock@vmware.com&gt;
diff --git a/README.md b/README.md
@@ -9,7 +9,7 @@ This repository contains the code, examples and technical design for system desc
 ---
 
 - [Generation of provenance](#generation-of-provenance)
-  - [Golang projects](#golang-projects)
+  - [Go projects](#go-projects)
   - [Other projects](#other-projects)
 - [Verification of provenance](#verification-of-provenance)
   - [Installation](#installation)
@@ -24,13 +24,15 @@ This repository contains the code, examples and technical design for system desc
 
 ## Generation of provenance
 
-### Golang projects
+### Go projects
 
-To generate SLSA provenance for your Golang project, follow [internal/builders/go/README.md](internal/builders/go/README.md).
+To generate SLSA provenance for your [Go](https://go.dev/) project, follow
+[internal/builders/go/README.md](internal/builders/go/README.md).
 
 ### Other projects
 
-To generate SLSA provenance for other programming languages, follow [internal/builders/generic/README.md](internal/builders/generic/README.md).
+To generate SLSA provenance for other programming languages, follow
+[internal/builders/generic/README.md](internal/builders/generic/README.md).
 This is a pre-release only and we will have the official release in July 2022.
 
 ## Verification of provenance
@@ -62,4 +64,3 @@ For a more in-depth technical dive, read the [SPECIFICATIONS.md](./SPECIFICATION
 ### Provenance format
 
 The format of the provenance is available in [PROVENANCE_FORMAT.md](./PROVENANCE_FORMAT.md).
-
diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md
@@ -19,6 +19,7 @@ project simply generates provenance as a separate step in an existing workflow.
 - [Benefits of Provenance](#benefits-of-provenance)
 - [Generating Provenance](#generating-provenance)
   - [Getting Started](#getting-started)
+  - [Supported Triggers](#supported-triggers)
   - [Workflow Inputs](#workflow-inputs)
   - [Workflow Outputs](#workflow-outputs)
   - [Provenance Format](#provenance-format)
@@ -157,6 +158,22 @@ jobs:
             ${{needs.provenance.outputs.attestation-name}}
 ```
 
+### Supported Triggers
+
+The following [GitHub trigger events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows) are fully supported and tested:
+
+- `schedule`
+- `push` (including new tags)
+- `release`
+- Manual run via `workflow_dispatch`
+
+However, in practice, most triggers should work with the exception of
+`pull_request`. If you would like support for `pull_request`, please tell us
+about your use case on [issue
+#358](https://github.com/slsa-framework/slsa-github-generator/issues/358). If
+you have an issue in all other triggers please submit a [new
+issue](https://github.com/slsa-framework/slsa-github-generator/issues/new/choose).
+
 ### Workflow Inputs
 
 The builder workflow
diff --git a/internal/builders/go/README.md b/internal/builders/go/README.md
@@ -1,33 +1,37 @@
-# Generation of SLSA3+ provenance for Golang projects
+# Generation of SLSA3+ provenance for Go projects
 
-This document explains how to use the builder for Golang projects.
+This document explains how to use the builder for [Go](https://go.dev/) projects.
 
 ---
 
 [Generation of provenance](#generation)
 
-- [Supported triggers](#supported-triggers)
-- [Configuration file](#configuration-file)
+- [Supported Triggers](#supported-triggers)
+- [Configuration File](#configuration-file)
 - [Migration from goreleaser](#migration-from-goreleaser)
-- [Workflow inputs](#workflow-inputs)
+- [Workflow Inputs](#workflow-inputs)
 - [Workflow Example](#workflow-example)
-- [Example provenance](#example-provenance)
-- [BuildConfig format](#buildconfig-format)
+- [Provenance Example](#provenance-example)
+- [BuildConfig Format](#buildconfig-format)
 
 ---
 
 ## Generation
 
-To generate provenance for a golang binary, follow the steps below:
+To generate provenance for a Go binary, follow the steps below:
 
-### Supported triggers
+### Supported Triggers
 
-Most GitHub trigger events are supported, at the exception of `pull_request`. We have extensively tested the 
-following triggers: `schedule`, `push` (including new tags), `release` and manual `workflow_dispatch`.
+The following [GitHub trigger events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows) are fully supported and tested:
 
-If you would like support for `pull_request`, please tell us about your use case and [file an issue](https://github.com/slsa-framework/slsa-github-generator/issues/new).
+- `schedule`
+- `push` (including new tags)
+- `release`
+- Manual run via `workflow_dispatch`
 
-### Configuration file
+However, in practice, most triggers should work with the exception of `pull_request`. If you would like support for `pull_request`, please tell us about your use case on [issue #358](https://github.com/slsa-framework/slsa-github-generator/issues/358). If you have an issue in all other triggers please submit a [new issue](https://github.com/slsa-framework/slsa-github-generator/issues/new/choose).
+
+### Configuration File
 
 Define a configuration file called `.slsa-goreleaser.yml` in the root of your project.
 
@@ -46,7 +50,7 @@ flags:
   - -tags=netgo
 
 # The OS to compile for. `GOOS` env variable will be set to this value.
-goos: linux 
+goos: linux
 
 # The architecture to compile for. `GOARCH` env variable will be set to this value.
 goarch: amd64
@@ -64,15 +68,15 @@ binary: binary-{{ .Os }}-{{ .Arch }}
 
 # (Optional) ldflags generated dynamically in the workflow, and set as the `evaluated-envs` input variables in the workflow.
 ldflags:
-  - '-X main.Version={{ .Env.VERSION }}'
-  - '-X main.Commit={{ .Env.COMMIT }}'
-  - '-X main.CommitDate={{ .Env.COMMIT_DATE }}'
-  - '-X main.TreeState={{ .Env.TREE_STATE }}'
+  - "-X main.Version={{ .Env.VERSION }}"
+  - "-X main.Commit={{ .Env.COMMIT }}"
+  - "-X main.CommitDate={{ .Env.COMMIT_DATE }}"
+  - "-X main.TreeState={{ .Env.TREE_STATE }}"
 ```
 
 ### Migration from goreleaser
 
-If you are already using Goreleaser, you may be able to migrate to our builder using multiple config files for each build. However, this is cumbersome and we are working on supporting multiple builds in a single config file for future releases. 
+If you are already using Goreleaser, you may be able to migrate to our builder using multiple config files for each build. However, this is cumbersome and we are working on supporting multiple builds in a single config file for future releases.
 
 In the meantime, you can use both Goreleaser and this builder in the same repository. For example, you can pick one build you would like to start generating provenance for. Goreleaser and this builder can co-exist without interfering with one another, so long as the resulting binaries have different names (e.g., when building for different OS/Arch). If you want to keep the same name, you can use the Goreleaser `ignore` option in the `.goreleaser.yml`:
 
@@ -97,38 +101,38 @@ We think gradual adoption is good for projects to get used to SLSA.
 
 The configuration file accepts many of the common fields Goreleaser uses, as you can see in the [example](#configuration-file). The configuration file also supports two variables: `{{ .Os }}` and `{{ .Arch }}`. Other variables can be set manually as shows in the table below, in combination with the builder's `evaluated-envs`:
 
-| Name         | Value      | Example     |
-| --------------------------- |  ----------------------------------------------- | ------------------ |
-| `{{ .CommitDate }}` | `date -d @$(git log --date=iso8601-strict -1 --pretty=%ct)`     |  `Mon Jun 13 01:23:36 AM UTC 2022` |
-| `{{ .FullCommit }}` | `$GITHUB_SHA` or `$(git rev-parse HEAD)`   | `b2a980888f359b8cef22cb61f153746e1a06deb0` |
-| `{{ .ShortCommit }}` | `$(echo $GITHUB_SHA \| cut -c1-8)` or `$(git rev-parse HEAD \| cut -c1-8)`   | `b2a98088` |
-| `{{ .Version }}` | `$(git describe --tags --always --dirty \| cut -c2-)` or `$(echo $GITHUB_REF_NAME \| cut -c2-)` on new tags and release triggers | `1.2.3-alpha+b2a98088` |
-| `{{ .Tag }}` | `$GITHUB_REF_NAME` (on `release` and `push` new tag triggers) or `$(git describe --tags --always --dirty \| cut -c2-)`    | `v1.2.3-alpha+b2a98088` |
-| `{{ .Major }}` | `$(git describe --tags --always --dirty \| cut -d '.' -f1 \| cut -c2-)`    | `1` |
-| `{{ .Minor }}` | `$(git describe --tags --always --dirty \| cut -d '.' -f2`    | `2` |
-| `{{ .Patch }}` | `$(git describe --tags --always --dirty \| cut -d '.' -f3 \| cut -d '-' -f1 \| cut -d '+' -f1`    | `3` |
+| Name                 | Value                                                                                                                            | Example                                    |
+| -------------------- | -------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ |
+| `{{ .CommitDate }}`  | `date -d @$(git log --date=iso8601-strict -1 --pretty=%ct)`                                                                      | `Mon Jun 13 01:23:36 AM UTC 2022`          |
+| `{{ .FullCommit }}`  | `$GITHUB_SHA` or `$(git rev-parse HEAD)`                                                                                         | `b2a980888f359b8cef22cb61f153746e1a06deb0` |
+| `{{ .ShortCommit }}` | `$(echo $GITHUB_SHA \| cut -c1-8)` or `$(git rev-parse HEAD \| cut -c1-8)`                                                       | `b2a98088`                                 |
+| `{{ .Version }}`     | `$(git describe --tags --always --dirty \| cut -c2-)` or `$(echo $GITHUB_REF_NAME \| cut -c2-)` on new tags and release triggers | `1.2.3-alpha+b2a98088`                     |
+| `{{ .Tag }}`         | `$GITHUB_REF_NAME` (on `release` and `push` new tag triggers) or `$(git describe --tags --always --dirty \| cut -c2-)`           | `v1.2.3-alpha+b2a98088`                    |
+| `{{ .Major }}`       | `$(git describe --tags --always --dirty \| cut -d '.' -f1 \| cut -c2-)`                                                          | `1`                                        |
+| `{{ .Minor }}`       | `$(git describe --tags --always --dirty \| cut -d '.' -f2`                                                                       | `2`                                        |
+| `{{ .Patch }}`       | `$(git describe --tags --always --dirty \| cut -d '.' -f3 \| cut -d '-' -f1 \| cut -d '+' -f1`                                   | `3`                                        |
 
 If you think you need suppport for other variables, please [open an issue](https://github.com/slsa-framework/slsa-github-generator/issues/new).
 
-### Workflow inputs
+### Workflow Inputs
 
 The builder workflow [slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml](.github/workflows/builder_go_slsa3.yml) accepts the following inputs:
 
-| Name         | Required | Description    | Default                                                                                                                                                                                                                                           |
-| ------------------ | -------- | -------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `config-file` | no      | `.github/workflows/slsa-goreleaser.yml` | The configuration file for the builder. A path within the calling repository. |
-| `evaluated-envs`        | no       | empty value | A list of environment variables, seperated by `,`: `VAR1: value, VAR2: value`. This is typically used to pass dynamically-generated values, such as `ldflags`. Note that only environment variables with names starting with `CGO_` or `GO` are accepted. |
-| `go-version` | yes      | The go version for your project. This value is passed, unchanged, to the [actions/setup-go](https://github.com/actions/setup-go) action when setting up the environment |
-| `upload-assets` | no    | true on new tags | Whether to upload assets to a GitHub release or not. |
+| Name             | Required | Description                                                                                                                                                             | Default                                                                                                                                                                                                                                                   |
+| ---------------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `config-file`    | no       | `.github/workflows/slsa-goreleaser.yml`                                                                                                                                 | The configuration file for the builder. A path within the calling repository.                                                                                                                                                                             |
+| `evaluated-envs` | no       | empty value                                                                                                                                                             | A list of environment variables, seperated by `,`: `VAR1: value, VAR2: value`. This is typically used to pass dynamically-generated values, such as `ldflags`. Note that only environment variables with names starting with `CGO_` or `GO` are accepted. |
+| `go-version`     | yes      | The go version for your project. This value is passed, unchanged, to the [actions/setup-go](https://github.com/actions/setup-go) action when setting up the environment |
+| `upload-assets`  | no       | true on new tags                                                                                                                                                        | Whether to upload assets to a GitHub release or not.                                                                                                                                                                                                      |
 
 ### Workflow Example
 
 Create a new workflow, say `.github/workflows/slsa-goreleaser.yml`.
 
-Make sure that you reference the trusted builder with a semnatic version of the form `vX.Y.Z`. The build will fail
-if you reference it via a shorter tag like `vX.Y` or `vX`. 
+Make sure that you reference the trusted builder with a semantic version of the form `vX.Y.Z`. The build will fail
+if you reference it via a shorter tag like `vX.Y` or `vX`.
 
-Refencing via hash is currently not supported due to limitations
+Referencing via hash is currently not supported due to limitations
 of the reusable workflow APIs. (We are working with GitHub to address this limitation).
 
 ```yaml
@@ -166,9 +170,9 @@ jobs:
   # Trusted builder.
   build:
     permissions:
-      id-token: write   # To sign the provenance.
-      contents: write   # To upload assets to release.
-      actions: read     # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To upload assets to release.
+      actions: read # To read the workflow path.
     needs: args
     uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.0.0
     with:
@@ -177,7 +181,7 @@ jobs:
       evaluated-envs: "COMMIT_DATE:${{needs.args.outputs.commit-date}}, COMMIT:${{needs.args.outputs.commit}}, VERSION:${{needs.args.outputs.version}}, TREE_STATE:${{needs.args.outputs.tree-state}}"
 ```
 
-### Example provenance
+### Provenance Example
 
 An example of the provenance generated from this repo is below:
 
@@ -278,7 +282,7 @@ An example of the provenance generated from this repo is below:
 }
 ```
 
-### BuildConfig format
+### BuildConfig Format
 
 The `BuildConfig` contains the following fields:
 
