From 38201ae62cb7ab981f6b5c9b702c855ba79f8b89 Mon Sep 17 00:00:00 2001
From: Mark Chmarny <mark@chmarny.com>
Date: Fri, 5 May 2023 10:35:17 -0700
Subject: [PATCH] update slsa

---
 .github/workflows/on-tag-img.yaml |  1 -
 .github/workflows/sign.yaml       | 22 ++++------------------
 .github/workflows/slsa.yaml       |  1 -
 3 files changed, 4 insertions(+), 20 deletions(-)

diff --git a/.github/workflows/on-tag-img.yaml b/.github/workflows/on-tag-img.yaml
index 2365ecf2..9a58dc33 100644
--- a/.github/workflows/on-tag-img.yaml
+++ b/.github/workflows/on-tag-img.yaml
@@ -97,7 +97,6 @@ jobs:
       auth_user: ${{ needs.conf.outputs.service_account }}
       cosign_version: ${{ needs.conf.outputs.cosign_version }}
       image_digest: ${{ needs.image.outputs.digest }}
-      scan_severity: ${{ needs.conf.outputs.err_on_vulnerability_sev }}
 
   provenance:
     needs:
diff --git a/.github/workflows/sign.yaml b/.github/workflows/sign.yaml
index 1f0f6bb7..1c7dd9eb 100644
--- a/.github/workflows/sign.yaml
+++ b/.github/workflows/sign.yaml
@@ -19,10 +19,6 @@ on:
         description: 'The version of cosign to use'
         required: true
         type: string
-      scan_severity:
-        description: 'Error on vulnerability scan severity'
-        required: true
-        type: string
 
 permissions:
   contents: read
@@ -51,35 +47,25 @@ jobs:
 
     - name: Auth Cosign
       run: |
-        set -euo pipefail
-        cosign version
         reg=$(echo ${{ inputs.image_digest }} | cut -d/ -f1)
         cosign login ${reg} --username=oauth2accesstoken --password=${{ steps.auth.outputs.access_token }}
 
     - name: Generate Keys
       run: |
-        set -euo pipefail
         COSIGN_PASSWORD=$(openssl rand -base64 12)
         cosign generate-key-pair
 
-    - name: Attest Image
+    - name: Sign Image
       env:
-        COSIGN_EXPERIMENTAL: "true"
+        COSIGN_YES: true
       run: |
-        set -euo pipefail
         cosign sign ${{ inputs.image_digest }} \
-            --force \
             --key cosign.key \
             -a sha=${{ github.sha }} \
             -a run_id=${{ github.run_id }} \
             -a run_attempt=${{ github.run_attempt }} \
             -a tag=${{ env.GITHUB_REF_NAME }}
 
-    - name: Attest Image
-      env:
-        COSIGN_EXPERIMENTAL: "true"
+    - name: Verify Signature
       run: |
-        set -euo pipefail
-          cosign verify \
-          --key cosign.pub \
-          ${{ inputs.image_digest }}
+        cosign verify --key cosign.pub ${{ inputs.image_digest }}
diff --git a/.github/workflows/slsa.yaml b/.github/workflows/slsa.yaml
index 561af3f9..7708dd47 100644
--- a/.github/workflows/slsa.yaml
+++ b/.github/workflows/slsa.yaml
@@ -79,7 +79,6 @@ jobs:
     # SLSA provenance verification using slsa-verifier.
     - name: Verify SLSA Provenance
       run: |-
-        set -euo pipefail
         slsa-verifier version
         slsa-verifier verify-image ${{ inputs.image_digest }} \
           --source-uri "github.com/$GITHUB_REPOSITORY" \