revert: Revert "ci: Generate hashes for SLSA #153" (#280)

Co-authored-by: Daniel Elsner <daniel.elsner@quantco.com>

Author: ManuelLerchnerQC

.github/workflows/build.yml

@@ -99,44 +99,9 @@ jobs:
           path: pixi-unpack-${{ matrix.target }}${{ endsWith(matrix.target, 'windows-msvc') && '.exe' || '' }}
           if-no-files-found: error
 
-  hashes:
-    name: Compute hashes
-    needs: [metadata, build]
-    if: needs.metadata.outputs.release == 'true'
-    runs-on: ubuntu-latest
-    outputs:
-      hashes: ${{ steps.hash.outputs.hashes }}
-    steps:
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      - name: Download artifacts
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          pattern: pixi-*
-          merge-multiple: true
-      - name: Compute hashes
-        id: hash
-        run: |
-          set -exuo pipefail
-          files=$(ls pixi-*)
-          echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
-
-  provenance:
-    needs: [metadata, hashes]
-    permissions:
-      actions: read
-      id-token: write
-      contents: write
-    if: needs.metadata.outputs.release == 'true'
-    # This cannot be pinned: https://github.com/slsa-framework/slsa-github-generator?tab=readme-ov-file#referencing-slsa-builders-and-generators
-    # https://github.com/slsa-framework/slsa-verifier/issues/12
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
-    with:
-      base64-subjects: "${{ needs.hashes.outputs.hashes }}"
-      upload-assets: false
-
   release:
     name: Create Release
-    needs: [metadata, build, provenance]
+    needs: [metadata, build]
     if: needs.metadata.outputs.release == 'true'
     runs-on: ubuntu-latest
     permissions:
@@ -148,11 +113,6 @@ jobs:
         with:
           pattern: pixi-*
           merge-multiple: true
-      - name: Download provenance
-        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-        with:
-          name: ${{ needs.provenance.outputs.provenance-name }}
-          merge-multiple: true
       - name: Push v${{ needs.metadata.outputs.version }} tag
         run: |
           git tag v${{ needs.metadata.outputs.version }}
@@ -163,6 +123,4 @@ jobs:
           generate_release_notes: true
           tag_name: v${{ needs.metadata.outputs.version }}
           draft: true
-          files: |
-            ${{ needs.provenance.outputs.provenance-name }}
-            pixi-*
+          files: pixi-*

.typos.toml

@@ -1,5 +1,4 @@
 [default.extend-words]
-intoto = "intoto"
 concurreny = "concurreny" # xref: https://github.com/conda/rattler/pull/1479
 
 [files]

README.md

@@ -281,23 +281,11 @@ conda env create -p ./env --file environment.yml
 > - Add `pip` to your `pixi.lock` file using `pixi add pip`.
 > - Configuring `conda` (or `mamba`) to not install `pip` by default by running `conda config --set add_pip_as_python_dependency false` (or by adding `add_pip_as_python_dependency: False` to your `~/.condarc`)
 
-## Build provenance
+## Build attestations
 
-The builds that are uploaded to releases on GitHub have build provenance using [slsa.dev](https://slsa.dev/).
-You can verify their provenance using:
-
-```
-pixi exec slsa-verifier verify-artifact pixi-pack-<architecture> \
-    --provenance-path multiple.intoto.jsonl \
-    --source-uri github.com/quantco/pixi-pack \
-    --source-branch main
-```
-
-Due to the setup of the release pipeline, the git tag is not part of the provenance but you can instead verify the commit id.
-
-In addition to the `intoto` files, we also upload build attestations to GitHub.
+Build attestations are uploaded to GitHub Artifact Attestations.
 You can verify a binary using the `gh` CLI:
 
-```
+```bash
 gh attestation verify --repo Quantco/pixi-pack pixi-pack-<architecture>
 ```