From 1791e6d67b3b17afff0b927b14957ef717910e44 Mon Sep 17 00:00:00 2001
From: gal-legit <gal@legitsecurity.com>
Date: Mon, 21 Nov 2022 21:22:04 +0200
Subject: [PATCH 1/5] Fix docs for goreleaser with the generic builder to
 include docker digest

---
 internal/builders/generic/README.md | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md
index b7fbd5848b..dc3abc4687 100644
--- a/internal/builders/generic/README.md
+++ b/internal/builders/generic/README.md
@@ -338,7 +338,7 @@ jobs:
       [...]
       - name: Run GoReleaser
         id: run-goreleaser
-        uses: goreleaser/goreleaser-action@b953231f81b8dfd023c58e0854a721e35037f28b # tag=v3
+        uses: goreleaser/goreleaser-action@b508e2e3ef3b19d4e4146d4f8fb3ba9db644a757 # tag=v3.2.0
 
 ```
 
@@ -351,9 +351,8 @@ jobs:
     ARTIFACTS: "${{ steps.run-goreleaser.outputs.artifacts }}"
   run: |
     set -euo pipefail
-
-    checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
-    echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
+    hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+    echo "hashes=$hashes" >> $GITHUB_OUTPUT
 ```
 
 4. Call the generic workflow to generate provenance by declaring the job below:

From 82021b5652f8212f2d751ac81a401b3d6c870725 Mon Sep 17 00:00:00 2001
From: gal-legit <gal@legitsecurity.com>
Date: Mon, 21 Nov 2022 22:39:23 +0200
Subject: [PATCH 2/5] add backwards compatiblity for goreleaser versions prior
 v1.13.0

---
 internal/builders/generic/README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md
index dc3abc4687..120466caf7 100644
--- a/internal/builders/generic/README.md
+++ b/internal/builders/generic/README.md
@@ -331,7 +331,7 @@ jobs:
       hashes: ${{ steps.hash.outputs.hashes }}
 ```
 
-2. Add an `id: run-goreleaser` field to your goreleaser step:
+2. Add an `id: run-goreleaser` field to your goreleaser step. Use goreleaser version >= v1.13.0 to enable provenance generation for dockers.
 
 ```yaml
     steps:
@@ -352,6 +352,10 @@ jobs:
   run: |
     set -euo pipefail
     hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+    if test "$hashes" = ""; then # goreleaser < v1.13.0
+      checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+      hashes=$(cat $checksum_file | base64 -w0)
+    fi
     echo "hashes=$hashes" >> $GITHUB_OUTPUT
 ```
 

From 50f47cc0ec43308e09171549493c6c866793e271 Mon Sep 17 00:00:00 2001
From: gal-legit <gal@legitsecurity.com>
Date: Mon, 21 Nov 2022 22:51:42 +0200
Subject: [PATCH 3/5] add the new instructions for the all-in-all snippet as
 well

---
 internal/builders/generic/README.md | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md
index 120466caf7..8cd650d2d9 100644
--- a/internal/builders/generic/README.md
+++ b/internal/builders/generic/README.md
@@ -397,8 +397,12 @@ jobs:
         run: |
           set -euo pipefail
 
-          checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
-          echo "hashes=$(cat $checksum_file | base64 -w0)" >> "$GITHUB_OUTPUT"
+          hashes=$(echo $ARTIFACTS | jq --raw-output '.[] | {name, "digest": (.extra.Digest // .extra.Checksum)} | select(.digest) | {digest} + {name} | join("  ") | sub("^sha256:";"")' | base64 -w0)
+          if test "$hashes" = ""; then # goreleaser < v1.13.0
+            checksum_file=$(echo "$ARTIFACTS" | jq -r '.[] | select (.type=="Checksum") | .path')
+            hashes=$(cat $checksum_file | base64 -w0)
+          fi
+          echo "hashes=$hashes" >> $GITHUB_OUTPUT
 
   provenance:
     needs: [goreleaser]

From 8ed4911ae505e1a652b62f56f55cf0a5f54569b5 Mon Sep 17 00:00:00 2001
From: gal-legit <gal@legitsecurity.com>
Date: Tue, 22 Nov 2022 10:26:19 +0200
Subject: [PATCH 4/5] add notes

---
 internal/builders/generic/README.md | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md
index 8cd650d2d9..d444765511 100644
--- a/internal/builders/generic/README.md
+++ b/internal/builders/generic/README.md
@@ -322,6 +322,11 @@ This section explains how to generate non-forgeable SLSA provenance with existin
 If you use [GoReleaser](https://github.com/goreleaser/goreleaser-action) to generate your build, you can easily
 generate SLSA3 provenance by updating your existing workflow with the steps indicated in the workflow below:
 
+**Notes**:
+- Make sure you did not disable checksum generation in the goreleaser yml.
+- Make sure you specified sha256 as the algorithm for the checksum or left it empty (sha256 is the default).
+- To enable provenance generation for dockers (as well as artifacts), use goreleaser version >= v1.13.0.
+
 1. Declare an `outputs` for the GoReleaser job:
 
 ```yaml
@@ -331,7 +336,7 @@ jobs:
       hashes: ${{ steps.hash.outputs.hashes }}
 ```
 
-2. Add an `id: run-goreleaser` field to your goreleaser step. Use goreleaser version >= v1.13.0 to enable provenance generation for dockers.
+2. Add an `id: run-goreleaser` field to your goreleaser step:
 
 ```yaml
     steps:

From 8627ad214bc1051810a15a85cd7842cf15ca9cf6 Mon Sep 17 00:00:00 2001
From: gal-legit <gal@legitsecurity.com>
Date: Tue, 22 Nov 2022 18:05:21 +0200
Subject: [PATCH 5/5] add link to goreleaser release with the new docker
 feature

---
 internal/builders/generic/README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/internal/builders/generic/README.md b/internal/builders/generic/README.md
index d444765511..366025a15e 100644
--- a/internal/builders/generic/README.md
+++ b/internal/builders/generic/README.md
@@ -325,7 +325,7 @@ generate SLSA3 provenance by updating your existing workflow with the steps indi
 **Notes**:
 - Make sure you did not disable checksum generation in the goreleaser yml.
 - Make sure you specified sha256 as the algorithm for the checksum or left it empty (sha256 is the default).
-- To enable provenance generation for dockers (as well as artifacts), use goreleaser version >= v1.13.0.
+- To enable provenance generation for dockers (as well as artifacts), use [goreleaser version >= v1.13.0](https://github.com/goreleaser/goreleaser/releases/tag/v1.13.0).
 
 1. Declare an `outputs` for the GoReleaser job: