slsa-framework · laurentsimon · Oct 20, 2022 · Oct 20, 2022 · Oct 20, 2022 · Oct 20, 2022
@@ -53,7 +53,7 @@ fi
 
 if [[ "$BUILDER_TAG" != "$(echo -n "$BUILDER_TAG" | grep -P '^v\d*(\.([\d]{1,})){0,2}$')" ]]; then
     echo "Invalid builder version: $BUILDER_TAG. Expected version of the form vX.Y.Z"
-    echo "For details see https://github.com/slsa-framework/slsa-github-generator#verification-of-provenance"
+    echo "For details see https://github.com/slsa-framework/slsa-github-generator/blob/main/README.md#referencing-slsa-builders-and-generators"
     exit 7
 fi
 

@@ -18,6 +18,7 @@ project simply generates provenance as a separate step in an existing workflow.
 - [Benefits of Provenance](#benefits-of-provenance)
 - [Generating Provenance](#generating-provenance)
   - [Getting Started](#getting-started)
+  - [Referencing the SLSA generator](#referencing-the-slsa-generator)
   - [Supported Triggers](#supported-triggers)
   - [Workflow Inputs](#workflow-inputs)
   - [Provenance Format](#provenance-format)
@@ -148,6 +149,12 @@ jobs:
     secrets:
       registry-password: ${{ secrets.GITHUB_TOKEN }}
 ```
+### Referencing the SLSA generator
+
+At present, the generator **MUST** be referenced
+by a tag of the form `@vX.Y.Z`, because the build will fail if you reference it via a shorter tag like `@vX.Y` or `@vX` or if you reference it by a hash.
+
+For more information about this design decision and how to configure renovatebot,see the main repository [README.md](../../../README.md).
 
 ### Supported Triggers
 

@@ -18,6 +18,7 @@ project simply generates provenance as a separate step in an existing workflow.
 - [Benefits of Provenance](#benefits-of-provenance)
 - [Generating Provenance](#generating-provenance)
   - [Getting Started](#getting-started)
+  - [Referencing the SLSA generator](#referencing-the-slsa-generator)
   - [Supported Triggers](#supported-triggers)
   - [Workflow Inputs](#workflow-inputs)
   - [Workflow Outputs](#workflow-outputs)
@@ -162,6 +163,13 @@ jobs:
             artifact2
 ```
 
+### Referencing the SLSA generator
+
+At present, the generator **MUST** be referenced
+by a tag of the form `@vX.Y.Z`, because the build will fail if you reference it via a shorter tag like `@vX.Y` or `@vX` or if you reference it by a hash.
+
+For more information about this design decision and how to configure renovatebot,see the main repository [README.md](../../../README.md).
+
 ### Supported Triggers
 
 The following [GitHub trigger events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows) are fully supported and tested:

@@ -6,6 +6,7 @@ This document explains how to use the builder for [Go](https://go.dev/) projects
 
 [Generation of provenance](#generation)
 
+- [Referencing the SLSA builder](#referencing-the-slsa-builder)
 - [Supported Triggers](#supported-triggers)
 - [Configuration File](#configuration-file)
 - [Migration from GoReleaser](#migration-from-GoReleaser)
@@ -21,6 +22,13 @@ This document explains how to use the builder for [Go](https://go.dev/) projects
 The Go builder workflow uses a GitHub Actions reusable workflow to generate the
 provenance.
 
+### Referencing the SLSA builder
+
+At present, the trusted builder **MUST** be referenced
+by a tag of the form `@vX.Y.Z`, because the build will fail if you reference it via a shorter tag like `@vX.Y` or `@vX` or if you reference it by a hash.
+
+For more information about this design decision and how to configure renovatebot,see the main repository [README.md](../../../README.md).
+
 ### Supported Triggers
 
 The following [GitHub trigger events](https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows) are fully supported and tested: