From 67805723f0bf3c53f17eaaea77e9cfd44d6a2417 Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Tue, 19 Jul 2022 00:59:05 +0000
Subject: [PATCH 1/8] update

---
 ci/generic-generator-ossf-slsa3-publish.yml | 63 +++++++++++++++++++++
 1 file changed, 63 insertions(+)
 create mode 100644 ci/generic-generator-ossf-slsa3-publish.yml

diff --git a/ci/generic-generator-ossf-slsa3-publish.yml b/ci/generic-generator-ossf-slsa3-publish.yml
new file mode 100644
index 0000000000..f843fd1a48
--- /dev/null
+++ b/ci/generic-generator-ossf-slsa3-publish.yml
@@ -0,0 +1,63 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you compile your Go project using a SLSA3 compliant builder. 
+# This workflow will generate a so-called "provenance" file describing the steps 
+# that were performed to generate the final binary.
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at 
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA generic generator
+on:
+  workflow_dispatch:
+  release:
+    types: [created]
+
+permissions: read-all
+
+jobs:
+  build:
+    outputs:
+      digests: ${{ steps.hash.outputs.digests }}
+
+    steps:
+      # ========================================================
+      #
+      # Step 1: Build your artifacts.
+      #
+      # ========================================================      
+      - name: Build artifacts
+        run: |
+            # These are some amazing artifacts.
+            echo "artifact1" > artifact1
+            echo "artifact2" > artifact2
+
+      # ========================================================
+      #
+      # Step 2: Add a step to generate the provenance subjects
+      #         as shown below. Update the sha256 sum arguments
+      #         to include all binaries that you generate
+      #         provenance for.
+      #
+      # ========================================================
+      - name: Generate subject
+        id: hash
+        run: |
+          set -euo pipefail
+
+          echo "::set-output name=digests::$(sha256sum artifact1 artifact2 | base64 -w0)"
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read
+      id-token: write
+      contents: read
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.digests }}"
+      upload-assets: true # Optional: Upload to a new release
\ No newline at end of file

From 0f26631ba6e9900520c570d1153140b812a9e870 Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Tue, 19 Jul 2022 01:04:52 +0000
Subject: [PATCH 2/8] update

---
 ...h.yml => generator-generic-ossf-slsa3-publish.yml} |  0
 ...nerator-generic-ossf-slsa3-publish.properties.json |  7 +++++++
 icons/generator-generic-ossf-slsa3-publish.svg        | 11 +++++++++++
 3 files changed, 18 insertions(+)
 rename ci/{generic-generator-ossf-slsa3-publish.yml => generator-generic-ossf-slsa3-publish.yml} (100%)
 create mode 100644 ci/properties/generator-generic-ossf-slsa3-publish.properties.json
 create mode 100644 icons/generator-generic-ossf-slsa3-publish.svg

diff --git a/ci/generic-generator-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml
similarity index 100%
rename from ci/generic-generator-ossf-slsa3-publish.yml
rename to ci/generator-generic-ossf-slsa3-publish.yml
diff --git a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json
new file mode 100644
index 0000000000..2861c3f1ef
--- /dev/null
+++ b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json
@@ -0,0 +1,7 @@
+{
+    "name": "SLSA Generic generator",
+    "creator": "Open Source Security Foundation (OpenSSF)",
+    "description": "Generate SLSA3 provenance for your existing release workflows",
+    "iconName": "go-ossf-slsa3-publish",
+    "categories": ["Continuous integration"]
+}
diff --git a/icons/generator-generic-ossf-slsa3-publish.svg b/icons/generator-generic-ossf-slsa3-publish.svg
new file mode 100644
index 0000000000..ea7746896d
--- /dev/null
+++ b/icons/generator-generic-ossf-slsa3-publish.svg
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<svg fill="none" version="1.1" viewBox="0 0 140 140" xmlns="http://www.w3.org/2000/svg">
+<g transform="translate(-31)" clip-path="url(#a)">
+<path d="m161.53 3.0994e-5 0.385-0.43543-7.493-6.6222-3.311 3.7465c-0.989 1.1184-1.991 2.2222-3.008 3.3111h-117.1v7.7919l-6.8799 4.2403 2.6234 4.2565c1.3735 2.2285 2.7929 4.4196 4.2565 6.5724v93.421c-0.0339 1e-3 -0.0678 1e-3 -0.1018 2e-3l-4.9989 0.102 0.2035 9.998 4.8972-0.1v13.716h140v-88.684c1.44-2.0734 2.84-4.183 4.196-6.3282 2.279-3.4292 3.971-6.3613 5.103-8.4579 0.57-1.054 0.998-1.8986 1.29-2.4912 0.146-0.2964 0.258-0.5299 0.336-0.6953 0.039-0.0827 0.069-0.1484 0.091-0.1964l0.027-0.0587 9e-3 -0.0192 3e-3 -0.0071 1e-3 -0.0029 1e-3 -0.0013c0-6e-4 0-0.0011-4.557-2.0578l4.557 2.0567 2.057-4.5575-9.115-4.1132-2.054 4.5518v1e-3l-1e-3 9e-4 -1e-3 0.0017v2e-3l-8e-3 0.0174c-0.011 0.0234-0.03 0.0642-0.057 0.1216-0.054 0.115-0.141 0.2967-0.261 0.5399-0.239 0.4866-0.611 1.2188-1.116 2.155-0.155 0.2859-0.322 0.5907-0.501 0.9131v-32.69zm0 0h-13.427c-22.046 23.618-50.591 40.246-81.991 47.779-11.875-10.541-22.305-22.871-30.851-36.737l-2.6234-4.2565-1.6331 1.0065v15.069c8.7076 12.807 18.982 24.259 30.482 34.156 16.53 14.226 35.591 25.242 56.17 32.461-17.424 11.387-36.962 19.448-57.612 23.605-9.4774 1.907-19.19 2.992-29.04 3.199v10.002l0.1018-2e-3c10.484-0.213 20.823-1.365 30.911-3.396 25.403-5.113 49.217-15.796 69.786-31.09 15.01-11.161 28.292-24.779 39.201-40.48v-18.626c-0.996 1.7908-2.38 4.127-4.163 6.808l-0.033 0.0491-0.031 0.0498c-10.512 16.639-23.759 31.015-38.962 42.68-18.881-5.709-36.555-14.758-52.18-26.662 31.982-9.1292 60.827-27.25 82.969-52.304z" clip-rule="evenodd" fill="#f03100" fill-rule="evenodd"/>
+</g>
+<defs>
+<clipPath id="a">
+<path d="m31 28c0-15.464 12.536-28 28-28h84c15.464 0 28 12.536 28 28v84c0 15.464-12.536 28-28 28h-84c-15.464 0-28-12.536-28-28z" fill="#fff"/>
+</clipPath>
+</defs>
+</svg>

From c81201dd621f7167106925fcbb2db17b6381d430 Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Tue, 19 Jul 2022 01:06:11 +0000
Subject: [PATCH 3/8] update

---
 ci/generator-generic-ossf-slsa3-publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml
index f843fd1a48..e37a3f35b6 100644
--- a/ci/generator-generic-ossf-slsa3-publish.yml
+++ b/ci/generator-generic-ossf-slsa3-publish.yml
@@ -60,4 +60,4 @@ jobs:
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
     with:
       base64-subjects: "${{ needs.build.outputs.digests }}"
-      upload-assets: true # Optional: Upload to a new release
\ No newline at end of file
+      upload-assets: true # Optional: Upload to a new release

From 19e6b35e8432c1d2915cbc9d86b12e4fcb0d1838 Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Tue, 19 Jul 2022 01:14:33 +0000
Subject: [PATCH 4/8] update

---
 ci/generator-generic-ossf-slsa3-publish.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml
index e37a3f35b6..eae74315b9 100644
--- a/ci/generator-generic-ossf-slsa3-publish.yml
+++ b/ci/generator-generic-ossf-slsa3-publish.yml
@@ -21,6 +21,7 @@ permissions: read-all
 
 jobs:
   build:
+    runs-on: ubuntu-latest
     outputs:
       digests: ${{ steps.hash.outputs.digests }}
 

From 026c540730dd5bafad6c468af4cb2176bd0327cb Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Tue, 19 Jul 2022 01:21:35 +0000
Subject: [PATCH 5/8] update

---
 ci/generator-generic-ossf-slsa3-publish.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml
index eae74315b9..54c110e951 100644
--- a/ci/generator-generic-ossf-slsa3-publish.yml
+++ b/ci/generator-generic-ossf-slsa3-publish.yml
@@ -55,9 +55,9 @@ jobs:
   provenance:
     needs: [build]
     permissions:
-      actions: read
-      id-token: write
-      contents: read
+      actions: read   # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.2.0
     with:
       base64-subjects: "${{ needs.build.outputs.digests }}"

From 30f1eecad156ad2196177709d0d2fe8f20eb8e78 Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Tue, 19 Jul 2022 15:55:40 +0000
Subject: [PATCH 6/8] update

---
 ci/generator-generic-ossf-slsa3-publish.yml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml
index 54c110e951..feadcf293b 100644
--- a/ci/generator-generic-ossf-slsa3-publish.yml
+++ b/ci/generator-generic-ossf-slsa3-publish.yml
@@ -3,10 +3,10 @@
 # separate terms of service, privacy policy, and support
 # documentation.
 
-# This workflow lets you compile your Go project using a SLSA3 compliant builder. 
-# This workflow will generate a so-called "provenance" file describing the steps 
+# This workflow lets you compile your Go project using a SLSA3 compliant builder 
+# This workflow will generate a so-called "provenance" file describing the steps
 # that were performed to generate the final binary.
-# The project is an initiative of the OpenSSF (openssf.org) and is developed at 
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
 # https://github.com/slsa-framework/slsa-github-generator.
 # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
 # For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
@@ -26,11 +26,13 @@ jobs:
       digests: ${{ steps.hash.outputs.digests }}
 
     steps:
+      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
+
       # ========================================================
       #
       # Step 1: Build your artifacts.
       #
-      # ========================================================      
+      # ========================================================
       - name: Build artifacts
         run: |
             # These are some amazing artifacts.

From aec987bfb55cb1003ba043fdd1a67426eba751e3 Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Mon, 1 Aug 2022 15:00:08 +0000
Subject: [PATCH 7/8] comments

---
 ci/generator-generic-ossf-slsa3-publish.yml          | 12 +++++++-----
 ...erator-generic-ossf-slsa3-publish.properties.json |  4 ++--
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml
index feadcf293b..c8a35441a7 100644
--- a/ci/generator-generic-ossf-slsa3-publish.yml
+++ b/ci/generator-generic-ossf-slsa3-publish.yml
@@ -3,9 +3,8 @@
 # separate terms of service, privacy policy, and support
 # documentation.
 
-# This workflow lets you compile your Go project using a SLSA3 compliant builder 
-# This workflow will generate a so-called "provenance" file describing the steps
-# that were performed to generate the final binary.
+# This workflow lets you generate SLSA provenance file for your project.
+# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
 # The project is an initiative of the OpenSSF (openssf.org) and is developed at
 # https://github.com/slsa-framework/slsa-github-generator.
 # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
@@ -26,7 +25,7 @@ jobs:
       digests: ${{ steps.hash.outputs.digests }}
 
     steps:
-      uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
+      uses: actions/checkout@v3
 
       # ========================================================
       #
@@ -52,7 +51,10 @@ jobs:
         run: |
           set -euo pipefail
 
-          echo "::set-output name=digests::$(sha256sum artifact1 artifact2 | base64 -w0)"
+          # List the artifacts the provenance will refer to.
+          files=$(ls artifact*)
+          # Generate the subjects (base64 encoded).
+          echo "::set-output name=digests::$(sha256sum $files | base64 -w0)"
 
   provenance:
     needs: [build]
diff --git a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json
index 2861c3f1ef..32cf63d06b 100644
--- a/ci/properties/generator-generic-ossf-slsa3-publish.properties.json
+++ b/ci/properties/generator-generic-ossf-slsa3-publish.properties.json
@@ -2,6 +2,6 @@
     "name": "SLSA Generic generator",
     "creator": "Open Source Security Foundation (OpenSSF)",
     "description": "Generate SLSA3 provenance for your existing release workflows",
-    "iconName": "go-ossf-slsa3-publish",
-    "categories": ["Continuous integration"]
+    "iconName": "generator-generic-ossf-slsa3-publish",
+    "categories": ["Continuous integration", "Go", "Elixir", "Erlang", "PHP", "Haskell", "Rust", "Java", "Scala", "Gradle", "Maven", "Python", "C", "C++", "TypeScript", "JavaScript", "npm", "Ruby", "HTML", "Composer", "Makefile", "Ada"]
 }

From 6f7030b18ad1da672b55b9ca4f6ec1abed29f7ed Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Thu, 11 Aug 2022 13:32:01 +0000
Subject: [PATCH 8/8] update

---
 ci/generator-generic-ossf-slsa3-publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ci/generator-generic-ossf-slsa3-publish.yml b/ci/generator-generic-ossf-slsa3-publish.yml
index c8a35441a7..a249449a5a 100644
--- a/ci/generator-generic-ossf-slsa3-publish.yml
+++ b/ci/generator-generic-ossf-slsa3-publish.yml
@@ -25,7 +25,7 @@ jobs:
       digests: ${{ steps.hash.outputs.digests }}
 
     steps:
-      uses: actions/checkout@v3
+      - uses: actions/checkout@v3
 
       # ========================================================
       #