Remove the hardcoded builder_id version (#3022)

Somewhat related to flutter/flutter#133376 It seems that occasionally the builds are failing because they are being built on a different version of Cloud Build. This is not actually providing any sort of security since we aren't explicitly specifying the version of cloud build when we trigger it, so instead we can just check that the artifact is built on cloud build at all. Additionally, remove the hard pinned version of slsa-verifier, as it is already specified and updated by dependabot in the `tooling` folder
flutter · Aug 30, 2023 · 3dd86ab · 3dd86ab
1 parent af85274
commit 3dd86ab
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/cloud_build/verify_provenance.sh b/cloud_build/verify_provenance.sh
@@ -9,7 +9,7 @@ set -e
 # If slsa-verifier is unable to ensure the provenance of the artifact is
 # legitimate, then the script will exit with a non-zero exit code.
 PROVENANCE_PATH=$1
-BUILDER_ID=https://cloudbuild.googleapis.com/GoogleHostedWorker@v0.3
+BUILDER_ID=https://cloudbuild.googleapis.com/GoogleHostedWorker
 SOURCE_URI=github.com/flutter/cocoon
 
 # Download the jq binary in order to obtain the artifact registry url from the
@@ -22,7 +22,7 @@ apt update && apt install jq -y
 echo "Installing slsa-verifier using go..."
 mkdir -p tooling
 pushd tooling
-go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@v2.4.0
+go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier
 popd
 
 FULLY_QUALIFIED_DIGEST=$(cat $PROVENANCE_PATH |