fix: added minor change to address pr feedback

lockwobr · lockwobr · commit d357bacccb58 · 2026-02-23T17:47:35.000-08:00
diff --git a/.github/actions/generate-slsa-predicate/action.yml b/.github/actions/generate-slsa-predicate/action.yml
@@ -28,7 +28,7 @@ runs:
       run: |
         set -euo pipefail
         PREDICATE="${RUNNER_TEMP}/slsa-predicate.json"
-        cat > "$PREDICATE" <<EOF
+        cat > "$PREDICATE" <<-EOF
         {
           "buildDefinition": {
             "buildType": "https://aicr.nvidia.com/binary/v1",
diff --git a/.github/workflows/build-attested.yaml b/.github/workflows/build-attested.yaml
@@ -16,6 +16,13 @@
 # Produces tar.gz archives with SLSA Build Provenance v1 attestation
 # as downloadable job artifacts.
 
+## NOTE: THIS WORKFLOW IS FOR TESTING PURPOSES ONLY.
+## if you need something attested by ci. This does not run tests or security scans.
+## The only complete/valid way to attest that passes all validation is via on-tag.yaml.
+## Validate attestations requires to pass the following certificate identity regexp:
+##  --certificate-identity-regexp 'https://github.com/NVIDIA/aicr/.github/workflows/on-tag\.yaml@refs/tags/.*' 
+## so this attestation is not the same as a production release.
+
 name: Build Attested Binaries
 
 on:
@@ -27,6 +34,7 @@ permissions:
 
 jobs:
   build-and-attest:
+    needs: [tests, security-scan]
     name: Build and Attest Binaries
     runs-on: ubuntu-latest
     timeout-minutes: 15
diff --git a/.goreleaser.yaml b/.goreleaser.yaml
@@ -35,6 +35,8 @@ builds:
       -X github.com/NVIDIA/aicr/pkg/cli.date={{.Date}}
     hooks:
       post:
+        ## cosign v1 attestation with slsa provenance v1. 
+        ## NOTE: below aicrd currently attests via github attestation
         - cmd: >-
             bash -c '[ -z "${SLSA_PREDICATE:-}" ] && exit 0;
             cosign attest-blob
diff --git a/install b/install
@@ -238,7 +238,7 @@ main() {
       "${temp_dir}/${BIN_NAME}" 2>/dev/null; then
       msg "Attestation verified: binary built by github.com/NVIDIA/aicr"
     else
-      msg "Warning: attestation verification failed (binary may not be from an official release)"
+      msg "Warning: attestation verification failed — cannot confirm this binary was built by the official CI pipeline"
     fi
   elif [[ -f "${temp_dir}/${BIN_NAME}-attestation.sigstore.json" ]]; then
     msg "Tip: install cosign to verify binary attestation (https://docs.sigstore.dev/cosign/system_config/installation/)"

Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ runs:`
`28`	`28`	`run: \|`
`29`	`29`	`set -euo pipefail`
`30`	`30`	`PREDICATE="${RUNNER_TEMP}/slsa-predicate.json"`
`31`		`- cat > "$PREDICATE" <<EOF`
	`31`	`+ cat > "$PREDICATE" <<-EOF`
`32`	`32`	`{`
`33`	`33`	`"buildDefinition": {`
`34`	`34`	`"buildType": "https://aicr.nvidia.com/binary/v1",`