Commit 115b628
committed
docs: clarify trusted-download spot-check scope; fix asset-preference docstring
Address review nits on the TRUSTED_DOWNLOAD_PROVENANCE escape hatch:
- verify_trusted_download_provenance docstring listed checksums.txt /
SHA256SUMS as preferred spot-check assets, contradicting
_PROVENANCE_ASSET_PREFERENCES (which intentionally excludes them, as
they carry in-toto rather than SLSA provenance and would 404 under
`gh attestation verify`). Rewrite to match the actual preference list.
- Add a scope caveat in both the docstring and README: the spot-check
proves the release repo's pipeline attests and that its latest release
is immutable, but does not machine-verify the action->release_repo
binding nor that the specific fetched version is itself immutable
(only releases/latest is checked). Those remain review-time assertions.
Docs/comment-only; all 144 security tests still pass.
Generated-by: Claude Opus 4.8 (claude-opus-4-8) via Claude Code1 parent 9eb759a commit 115b628
2 files changed
Lines changed: 17 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
233 | 233 | | |
234 | 234 | | |
235 | 235 | | |
236 | | - | |
| 236 | + | |
237 | 237 | | |
238 | 238 | | |
239 | 239 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2032 | 2032 | | |
2033 | 2033 | | |
2034 | 2034 | | |
2035 | | - | |
2036 | | - | |
2037 | | - | |
| 2035 | + | |
| 2036 | + | |
| 2037 | + | |
| 2038 | + | |
| 2039 | + | |
| 2040 | + | |
| 2041 | + | |
2038 | 2042 | | |
2039 | 2043 | | |
| 2044 | + | |
| 2045 | + | |
| 2046 | + | |
| 2047 | + | |
| 2048 | + | |
| 2049 | + | |
| 2050 | + | |
| 2051 | + | |
| 2052 | + | |
2040 | 2053 | | |
2041 | 2054 | | |
2042 | 2055 | | |
| |||
0 commit comments