Per docs/v1-rc1-operational-gaps.md §1 SLSA L3, remediation step 1.
Current release pipeline uses generator_generic_slsa3.yml (L2-enforced on the generic path). The Go-specific generator runs the compile inside the reusable workflow's controlled environment and produces L3-marked attestation.
Work: rewire the package job in .github/workflows/release.yml around generator_go_slsa3.yml. Likely needs a wrapper module that invokes make build from the generator's prep step (OCB's per-platform submodule regen complicates direct integration).
Acceptance: gh attestation verify --predicate-type https://slsa.dev/provenance/v1 returns a predicate whose buildDefinition.buildType resolves to the Go generator's L3-marked workflow.
Effort: M (1-2 weeks).
Per
docs/v1-rc1-operational-gaps.md§1 SLSA L3, remediation step 1.Current release pipeline uses
generator_generic_slsa3.yml(L2-enforced on the generic path). The Go-specific generator runs the compile inside the reusable workflow's controlled environment and produces L3-marked attestation.Work: rewire the
packagejob in.github/workflows/release.ymlaroundgenerator_go_slsa3.yml. Likely needs a wrapper module that invokesmake buildfrom the generator's prep step (OCB's per-platform submodule regen complicates direct integration).Acceptance:
gh attestation verify --predicate-type https://slsa.dev/provenance/v1returns a predicate whosebuildDefinition.buildTyperesolves to the Go generator's L3-marked workflow.Effort: M (1-2 weeks).