docs: update installation to cover the Action and to receive updates #523
Conversation
Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
|
@mihaimaruseac would appreciate if you could try this setup and confirm you don't encounter problems |
laurentsimon
changed the title
README.md
Outdated
| Tools like [dependabot](https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuring-dependabot-version-updates) or [renovate](https://github.com/renovatebot/renovate) use your project's go.mod to identify the version of your dependencies. | ||
| If you install the verifier in CI, we strongly recommend you follow the steps below to keep the verifier up-to-date: | ||
|
|
||
| 1. Create a tooling/slsa-verifier.go file containing the following: |
There was a problem hiding this comment.
nit: I want to say that folks used to use this pattern with a file name like *_test.go for a reason, but it escapes me what that reason is. In any case you probably want to name the file like tools.go and that way they can list any CLI tools they need in the same file.
Also, Go doesn't really like file names with hyphen in them, but I don't think it really matters so much in this case.
There was a problem hiding this comment.
updated the filename to tooling_test.go
README.md
Outdated
| 1. To install the verifier in your CI, run the following commands: | ||
| ```bash | ||
| $ cd tooling | ||
| $ go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier |
There was a problem hiding this comment.
FWIW, go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier can be run from anywhere. I think you want to do something like go install . which will install all of the tooling listed in your tools.go or whatever.
There was a problem hiding this comment.
I tried go install . and it did not work: import "github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier" is a program, not an importable package. I've replaced the command with grep _ tooling_test.go | cut -f2 -d '"' | xargs -n1 -t go install. ptal
There was a problem hiding this comment.
will merge for the RC, @ianlewis if you have feedback let me know
There was a problem hiding this comment.
I kind of thought there was a more convenient way of installing them but maybe I'm misremembering. It's been a while since I've seen/used this pattern.
Signed-off-by: laurentsimon <[email protected]>
Signed-off-by: laurentsimon <[email protected]>
Co-authored-by: asraa <[email protected]> Signed-off-by: laurentsimon <[email protected]>
Co-authored-by: asraa <[email protected]> Signed-off-by: laurentsimon <[email protected]>
closes #522