From e855e4f712d485f7cef11a2194ef036cd76f52b4 Mon Sep 17 00:00:00 2001
From: Ramon Petgrave <ramon.petgrave64@gmail.com>
Date: Mon, 13 May 2024 23:41:59 +0000
Subject: [PATCH] make attestations an io reader

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
---
 docs/API-Library.md                | 9 +++++++--
 verifiers/internal/gha/verifier.go | 3 +--
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/docs/API-Library.md b/docs/API-Library.md
index 20fb31f4..8288e81f 100644
--- a/docs/API-Library.md
+++ b/docs/API-Library.md
@@ -34,7 +34,12 @@ func doVerify() (*apiUtils.TrustedBuilderID, error) {
 	packageVersion := "0.1.127"
 	packageName := "@ianlewis/actions-test"
 	builderId := "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml"
-	attestations := []byte(`{"attestations":[{"predicateType":"https://giEntries":[{"logIndex":"2035" ... `)
+    attestationsReader, err := os.Open("../my/attestations.json")
+	if err != nil {
+		fmt.Printf("cant open attestations file: FAILED: %v", err)
+		return nil, err
+	}
+	defer attestationsReader.Close()
 	tarballHash := "ab786dbef723164a605e55ff0ebe83f8e879159bd411980d4423c9b1646b858a537b4bc4d494fc8f71195db715e5c5e9ab4b8809f8b1b399cd30ac053d180ba7"
 	provenanceOpts := &options.ProvenanceOpts{
 		ExpectedSourceURI:      "github.com/ianlewis/actions-test",
@@ -55,7 +60,7 @@ func doVerify() (*apiUtils.TrustedBuilderID, error) {
 		fmt.Printf("creating SigstoreTuf client: %v", err)
 		return nil, fmt.Errorf("creating SigstoreTuf client: %w", err)
 	}
-	_, outBuilderID, err := apiVerify.VerifyNpmPackageWithSigstoreTufClient(context.Background(), attestations, tarballHash, provenanceOpts, builderOpts, client)
+	_, outBuilderID, err := apiVerify.VerifyNpmPackageWithSigstoreTufClient(context.Background(), attestationsReader, tarballHash, provenanceOpts, builderOpts, client)
 	if err != nil {
 		fmt.Printf("Verifying npm package: FAILED: %v", err)
 		return nil, err
diff --git a/verifiers/internal/gha/verifier.go b/verifiers/internal/gha/verifier.go
index c7b1d592..7fe8b42a 100644
--- a/verifiers/internal/gha/verifier.go
+++ b/verifiers/internal/gha/verifier.go
@@ -348,8 +348,7 @@ func (v *GHAVerifier) VerifyNpmPackageWithSigstoreTufClient(ctx context.Context,
 	builderOpts *options.BuilderOpts,
 	sigstoreTufClient utils.SigstoreTufClient,
 ) ([]byte, *utils.TrustedBuilderID, error) {
-	var atts []byte
-	_, err := attestations.Read(atts)
+	atts, err := io.ReadAll(attestations)
 	if err != nil {
 		return nil, nil, err
 	}