eBay · justinabrahms · Mar 20, 2023 · Mar 19, 2023 · Mar 20, 2023
diff --git a/.github/workflows/go-ossf-slsa3-publish.yml b/.github/workflows/go-ossf-slsa3-publish.yml
@@ -57,9 +57,43 @@ jobs:
         arch:
           - amd64
           - arm64
-    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.2.2
+    uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.5.0
     with:
       go-version: 1.17
       # Optional: only needed if using ldflags.
       evaluated-envs: "COMMIT_DATE:${{needs.args.outputs.commit-date}}, COMMIT:${{needs.args.outputs.commit}}, VERSION:${{needs.args.outputs.version}}, TREE_STATE:${{needs.args.outputs.tree-state}}"
       config-file: slsa/goreleaser-${{matrix.os}}-${{matrix.arch}}.yml
+
+  verification:
+    needs:
+      - build
+    runs-on: ubuntu-latest
+    permissions: read-all
+    steps:
+      # Note: this will be replaced with the GHA in the future.
+      - name: Install the verifier
+        uses: slsa-framework/slsa-verifier/actions/[email protected]
+
+      - name: Download assets
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          ATT_FILE_NAME: "${{ needs.build.outputs.go-binary-name }}.intoto.jsonl"
+          ARTIFACT: ${{ needs.build.outputs.go-binary-name }}
+        run: |
+          set -euo pipefail
+
+          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p $ARTIFACT
+          gh -R "$GITHUB_REPOSITORY" release download "$GITHUB_REF_NAME" -p "$ATT_FILE_NAME"
+
+      - name: Verify assets
+        env:
+          ARTIFACT: ${{ needs.build.outputs.go-binary-name }}
+          ATT_FILE_NAME: "${{ needs.build.outputs.go-binary-name }}.intoto.jsonl"
+        run: |
+          set -euo pipefail
+
+          echo "Verifying $ARTIFACT using $ATT_FILE_NAME"
+          slsa-verifier verify-artifact --provenance-path "$ATT_FILE_NAME" \
+                                        --source-uri "github.com/$GITHUB_REPOSITORY" \
+                                        --source-tag "$GITHUB_REF_NAME" \
+                                        "$ARTIFACT"