Move jq installation before the step to get provenance. (#3016)

The get_provenance script now requires jq but it was not installed until later.

cloud_build/get_docker_image_provenance.sh

@@ -9,6 +9,11 @@ OUTPUT_DIRECTORY=$2
 # Getting the docker image provenance can be flaky, so retry up to 3 times.
 MAX_ATTEMPTS=3
 
+# Download the jq binary in order to obtain the artifact registry url from the
+# docker image provenance.
+echo "Installing jq using apt..."
+apt update && apt install jq -y
+
 for attempt in $(seq 1 $MAX_ATTEMPTS)
 do
     echo "(Attempt $attempt) Obtaining provenance for $1"

cloud_build/verify_provenance.sh

@@ -12,16 +12,12 @@ PROVENANCE_PATH=$1
 BUILDER_ID=https://cloudbuild.googleapis.com/[email protected]
 SOURCE_URI=github.com/flutter/cocoon
 
-# Download the jq binary in order to obtain the artifact registry url from the
-# docker image provenance.
-echo "Installing jq using apt..."
-apt update && apt install jq -y
-
 # Download slsa-verifier in order to validate the docker image provenance.
 # This takes the version of slsa-verifier defined in tooling/go.mod.
 echo "Installing slsa-verifier using go..."
+mkdir -p tooling
 pushd tooling
-go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier
+go install github.com/slsa-framework/slsa-verifier/v2/cli/slsa-verifier@v2.4.0
 popd
 
 FULLY_QUALIFIED_DIGEST=$(cat $PROVENANCE_PATH |