Merge pull request #74 from janfuhrer/ci/fix-verification

ci: fix asset verification

.github/workflows/README.md

@@ -75,7 +75,7 @@ The release workflow includes multiple jobs to create a release of the project.
 ### Go Release
 
 This repository uses [goreleaser](https://goreleaser.com/) to create all the release artifacts. GoReleaser can build and release Go binaries for multiple platforms, create archives/container images/SBOMs and more. All the configuration for the release is stored in the file [.goreleaser.yml](./../../.goreleaser.yml).
-For all the release artifacts (`*.tar.gz`, `*.zip`, `*.sbom`), provenance is generated using the [SLSA Generic Generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md). The provenance file is uploaded to the release assets and can be verified using the `slsa-verifier` tool (see [Release Verification](./../../SECURITY.md#release-verification)).
+For all the release artifacts (`*.tar.gz`, `*.zip`, `*.sbom.json`), provenance is generated using the [SLSA Generic Generator](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md). The provenance file is uploaded to the release assets and can be verified using the `slsa-verifier` tool (see [Release Verification](./../../SECURITY.md#release-verification)).
 
 ### Container Release
 

.github/workflows/release.yml

@@ -32,6 +32,7 @@ jobs:
         with:
           go-version-file: 'go.mod'
           check-latest: true
+          cache: false
       - name: Install Syft
         uses: anchore/sbom-action/download-syft@e8d2a6937ecead383dfe75190d104edd1f9c5751 # v0.16.0
       - name: Install Cosign
@@ -40,7 +41,7 @@ jobs:
         id: goreleaser
         uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
         with:
-          version: latest
+          version: '~> v1'
           args: release --clean
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -72,6 +73,7 @@ jobs:
         with:
           go-version-file: 'go.mod'
           check-latest: true
+          cache: false
       - name: Install Cosign
         uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
       - name: Publish podsalsa
@@ -136,7 +138,7 @@ jobs:
           set -euo pipefail
           gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.tar.gz"
           gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.zip"
-          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.sbom"
+          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "*.sbom.json"
           gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$PROVENANCE"
       # verify each artifact in checksum.txt file with the provenance
       - name: Verify assets

SECURITY.md

@@ -40,7 +40,7 @@ cat multiple.intoto.jsonl | jq -r '.payload' | base64 -d | jq
 
 ### Verify provenance of release artifacts
 
-To verify the release artifacts (go binaries and SBOMs) you can use the `slsa-verifier`. This verification works for all release artifcats (`*.tar.gz`, `*.zip`, `*.sbom`).
+To verify the release artifacts (go binaries and SBOMs) you can use the `slsa-verifier`. This verification works for all release artifcats (`*.tar.gz`, `*.zip`, `*.sbom.json`).
 
 ```bash
 # example for the "podsalsa-darwin-amd64.tar.gz" artifact
@@ -191,7 +191,7 @@ The Software Bill of Materials (SBOM) is generated in CycloneDX JSON format for
 
 #### Go binary archives
 
-The SBOMs of the Go binary archives are provided in the `*.tar.gz.sbom` files of the release and can be verified using the `slsa-verifier` (see [Verify the provenance of release artifacts](#verify-provenance-of-release-artifacts)).
+The SBOMs of the Go binary archives are provided in the `*.tar.gz.sbom.json` files of the release and can be verified using the `slsa-verifier` (see [Verify the provenance of release artifacts](#verify-provenance-of-release-artifacts)).
 
 #### Container images