try checklevelprov in action (#57)

Signed-off-by: Tom Hennen <[email protected]>

Author: TomHennen

actions/slsa_with_provenance/action.yml

@@ -20,12 +20,12 @@ runs:
         path: ${{ github.workspace }}/metadata/prev_bundle.intoto.jsonl
     - id: determine_level
       run: |
-        go run github.com/slsa-framework/slsa-source-poc/sourcetool@9db86884defc341b81cda6099e72e1d6ccc0d701 prov --prev_att_path ${{ github.workspace }}/metadata/prev_bundle.intoto.jsonl --commit ${{ github.sha }} --prev_commit ${{ github.event.before }} --owner ${{ github.repository_owner }} --repo ${{ github.event.repository.name }} --branch ${{ github.ref_name }} >> ${{ github.workspace }}/metadata/unsigned_prov.json
+        go run github.com/slsa-framework/slsa-source-poc/sourcetool@dc0d9d3269c17312141a64a28fbda43aae9a3274 checklevelprov --prev_bundle_path ${{ github.workspace }}/metadata/prev_bundle.intoto.jsonl --commit ${{ github.sha }} --prev_commit ${{ github.event.before }} --owner ${{ github.repository_owner }} --repo ${{ github.event.repository.name }} --branch ${{ github.ref_name }} --output_unsigned_bundle ${{ github.workspace }}/metadata/unsigned_bundle.jsonl
       shell: bash
     - id: summary
       run: |
         echo "## Unsigned Provenance" >> $GITHUB_STEP_SUMMARY
-        cat ${{ github.workspace }}/metadata/unsigned_prov.json >> $GITHUB_STEP_SUMMARY
+        cat ${{ github.workspace }}/metadata/unsigned_bundle.jsonl >> $GITHUB_STEP_SUMMARY
       shell: bash
     - id: install_witness
       # This is a bit of a hack, running witness happens to also install it.
@@ -38,17 +38,17 @@ runs:
     - id: sign_prov
       # Use witness to sign that provenance...
       run: |
-        witness sign -f ${{ github.workspace }}/metadata/unsigned_prov.json -t "application/vnd.in-toto+json" -o ${{ github.workspace }}/metadata/signed_prov.json \
+        witness sign -f ${{ github.workspace }}/metadata/unsigned_bundle.jsonl -t "application/vnd.in-toto+json" -o ${{ github.workspace }}/metadata/signed_bundle.jsonl \
         --signer-fulcio-url https://fulcio.sigstore.dev \
         --signer-fulcio-oidc-client-id sigstore \
         --signer-fulcio-oidc-issuer https://oauth2.sigstore.dev/auth \
         --timestamp-servers https://freetsa.org/tsr
         echo "## Signed Prov" >> $GITHUB_STEP_SUMMARY
-        cat ${{ github.workspace }}/metadata/signed_prov.json >> $GITHUB_STEP_SUMMARY
+        cat ${{ github.workspace }}/metadata/signed_bundle.jsonl >> $GITHUB_STEP_SUMMARY
       shell: bash
     - uses: slsa-framework/slsa-source-poc/actions/store_note@main
       with:
-        path: ${{ github.workspace }}/metadata/signed_prov.json
+        path: ${{ github.workspace }}/metadata/signed_bundle.jsonl
     - uses: actions/upload-artifact@v4
       if: always()
       with:

actions/vsa_creator/action.yml

@@ -16,7 +16,7 @@ runs:
       shell: bash
     - id: determine_level
       run: |
-        echo "source_level=$(go run github.com/slsa-framework/slsa-source-poc/sourcetool@922b9965dae9c3e8c9e2c5a5f30c720a4fe11354 checklevel --commit ${{ github.sha }} --owner ${{ github.repository_owner }} --repo ${{ github.event.repository.name }} --branch ${{ github.ref_name }} --output_unsigned_vsa ${{ github.workspace }}/metadata/unsigned_vsa.json)" >> $GITHUB_OUTPUT
+        echo "source_level=$(go run github.com/slsa-framework/slsa-source-poc/sourcetool@dc0d9d3269c17312141a64a28fbda43aae9a3274 checklevel --commit ${{ github.sha }} --owner ${{ github.repository_owner }} --repo ${{ github.event.repository.name }} --branch ${{ github.ref_name }} --output_unsigned_vsa ${{ github.workspace }}/metadata/unsigned_vsa.json)" >> $GITHUB_OUTPUT
       shell: bash
     - id: summary
       run: |