From 7f992f05ee5df63f0ee27fdab7c2fbfba0f70bdf Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Wed, 2 Aug 2023 00:50:39 +0000
Subject: [PATCH 01/16] Update doc

Signed-off-by: laurentsimon <laurentsimon@google.com>
---
 README.md | 80 ++++++++++++++++++++++++++++++-------------------------
 1 file changed, 43 insertions(+), 37 deletions(-)

diff --git a/README.md b/README.md
index a25dece4f6..22b4e48083 100644
--- a/README.md
+++ b/README.md
@@ -19,16 +19,16 @@
   - [Hall of Fame](#hall-of-fame)
     - [Generation of Provenance](#generation-of-provenance)
     - [Builder Creation](#builder-creation)
-- [Roadmap](#roadmap)
-- [Generation of provenance](#generation-of-provenance)
+- [Generate provenance](#generate-provenance)
   - [Referencing SLSA builders and generators](#referencing-slsa-builders-and-generators)
   - [Builders](#builders)
-  - [Provenance-only generators](#provenance-only-generators)
-- [Verification of provenance](#verification-of-provenance)
+  - [Generators](#generators)
+- [Verify provenance](#verify-provenance)
   - [Installation](#installation)
   - [Inputs](#inputs)
   - [Command line examples](#command-line-examples)
 - [Build Your Own Builder](#build-your-own-builder)
+- [Roadmap](#roadmap)
 - [Technical design](#technical-design)
   - [Specifications](#specifications)
   - [Provenance format](#provenance-format)
@@ -38,6 +38,10 @@
 
 ## Overview
 
+This repository contains free tools to generate and verify SLSA3+ provenance for native GitHub projects using GitHub Actions.
+Developers can build their software using a secure process that protects against many supply chain attacks and tampering.
+Users of their software can verify a tamper-proof statement of the process to know how the software was created.
+
 ### What is SLSA?
 
 [Supply chain Levels for Software Artifacts](https://slsa.dev), or SLSA (salsa),
@@ -109,18 +113,15 @@ Several builders have been built using the "Build Your Own Builder" (BYOB):
 4. [Gradle builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/gradle/README.md), by @AdamKorcz
 5. Coming soon! [Bazel builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/bazel/README.md), by @enteraga6
 
-## Roadmap
-
-The project roadmap is tracked via milestones. You can track progress and open
-issues via the [milestones page](https://github.com/slsa-framework/slsa-github-generator/milestones?direction=asc&sort=due_date&state=open).
-Each milestone includes a description of what is being worked on and a rough
-timeline for completion.
-
-## Generation of provenance
+## Generate provenance
 
-Below we describe the various builders and generators in this repository. They let you build and / or generate non-forgeable provenance
+Below we describe the various [builders](#builders) and [generators](#generators) in this repository. They build and / or generate non-forgeable provenance
 using a trusted / isolated re-usable workflow. You can read up on the design in our [technical design document](#technical-design).
 
+To select the right option to geneate provenance for your use case, take into account the programming language and build toolchain you already use, e.g. `go`, `mvn`, `bazel`, etc. Select a [builder](#builders) for your ecosystem.
+For example, if you use `Go`, use the [Go builder](internal/builders/go/README.md). If you use Java and build Maven packages, use the [Maven builder](internal/builders/maven/README.md), and so on.
+If your release scripts are more complex than what the builder supports; or if you do not wish to change your build pipeline, use a [generator](#generators) instead.
+
 ### Referencing SLSA builders and generators
 
 At present, the GitHub Actions provided in this repository as builders and generators **MUST** be referenced
@@ -141,29 +142,29 @@ requirements for [SLSA Build level 3 and above](https://slsa.dev/spec/v1.0/level
 
 This repository hosts the following builders:
 
-1. [Go Builder](internal/builders/go/README.md). **Status**: [available since v1.0.0](https://github.com/slsa-framework/slsa-github-generator/milestone/1). This builder builds and generates provenance for your [Go](https://go.dev/) projects.
-2. [Node.js Builder](internal/builders/nodejs/README.md).
-   **Status**: [Beta since v1.6.0](https://github.com/slsa-framework/slsa-github-generator/milestone/8).
-   [Expected GA release Sept 2023](https://github.com/slsa-framework/slsa-github-generator/milestone/17).
-3. [Container-based Builder](internal/builders/docker/README.md). **Status**: [Beta release since v1.7.0](https://github.com/slsa-framework/slsa-github-generator/milestone/4). This builder builds arbitrary artifacts by executing a user-supplied container image.
-4. [Maven builder](internal/builders/maven/README.md). **Status**: [Beta since v1.8.0](https://github.com/slsa-framework/slsa-github-generator/milestone/14). This builder builds [Maven](https://maven.apache.org/) packages. The package and its attestations can be uploaded to [Maven central](https://search.maven.org).
-5. [Gradle builder](internal/builders/gradle/README.md). **Status**: [Beta since v1.8.0](https://github.com/slsa-framework/slsa-github-generator/milestone/15). This builder builds [Gradle](https://gradle.org/) projects. The Maven package and its attestations can be uploaded to Maven central.
-6. [Bazel builder](internal/builders/bazel/README.md). **Status**: [WIP](https://github.com/slsa-framework/slsa-github-generator/milestone/16).
-   [Expected beta-release Sept 2023](https://github.com/slsa-framework/slsa-github-generator/milestone/16). This builder builds [Bazel](https://bazel.build/) projects.
-7. Container Builder. **Status**: [WIP](https://github.com/slsa-framework/slsa-github-generator/milestone/5).
-   This builder builds your container image and generate provenance. The generated provenance is compatible with
-   [cosign](https://github.com/sigstore/cosign)'s attestation format.
+| Ecosystem |      Builder      |  Description | Status |
+|:-----------|:-----------------|:------------|:--------|
+| [Go](https://go.dev/) projects | [Go Builder](internal/builders/go/README.md) | Builds and generates provenance for Go projects | [available since v1.0.0](https://github.com/slsa-framework/slsa-github-generator/milestone/1) |
+| [nodejs](https://nodejs.org) projects | [Node.js Builder](internal/builders/nodejs/README.md)   |  Builds and generates provenance for npm packages | [Beta since v1.6.0](https://github.com/slsa-framework/slsa-github-generator/milestone/8). [Expected GA release Sept 2023](https://github.com/slsa-framework/slsa-github-generator/milestone/17)
+| [Maven](https://maven.apache.org/) projects | [Maven builder](internal/builders/maven/README.md) | Build Maven packages and generates provenance. Can be uploaded to [Maven central](https://search.maven.org) | [Beta since v1.8.0](https://github.com/slsa-framework/slsa-github-generator/milestone/14) |
+| [Gradle](https://gradle.org/) projects | [Gradle builder](internal/builders/gradle/README.md) | Build Gradle projects and generates provenance. Can be uploaded to [Maven central](https://search.maven.org) | [Beta since v1.8.0](https://github.com/slsa-framework/slsa-github-generator/milestone/15) |
+| [JReleaser](https://jreleaser.org/) projects | [JReleaser builder](https://github.com/jreleaser/release-action/tree/java#slsa-builder) | Builds and generates provenance using [JReleaser](https://jreleaser.org/) | [Beta since v1.8.0](https://github.com/slsa-framework/slsa-github-generator/milestone/16) |
+| [Bazel](https://bazel.build/) projects | [Bazel builder](internal/builders/bazel/README.md) | Builds [Bazel](https://bazel.build/) projects and generates provenance | [Beta release August 2023](https://github.com/slsa-framework/slsa-github-generator/milestone/16) |
+| [docker](https://www.docker.com/) images | Container Builder | Builds docker containers and generates provenance. The generated provenance is compatible with [cosign](https://github.com/sigstore/cosign)'s attestation format | [WIP](https://github.com/slsa-framework/slsa-github-generator/milestone/5)  |
+| Any | [Container-based Builder](internal/builders/docker/README.md) | Builds projects whose build pipeline is defined with a Dockerfile | [Beta since v1.7.0](https://github.com/slsa-framework/slsa-github-generator/milestone/16) |
 
 There are other available builders using this repository's [BYOB framework](#build-your-own-builder) and not hosted in this repository:
 
-1. [JReleaser builder](https://github.com/jreleaser/release-action/tree/java#slsa-builder). Lets you build and generate provenance using [JReleaser](https://jreleaser.org/).
+| Ecosystem |      Builder      |  Description | Status |
+|:-----------|:-----------------|:------------|:--------|
+| [JReleaser](https://jreleaser.org/) projects | [JReleaser builder](https://github.com/jreleaser/release-action/tree/java#slsa-builder) | Builds and generates provenance using [JReleaser](https://jreleaser.org/) | [Beta since v1.8.0](https://github.com/slsa-framework/slsa-github-generator/milestone/16) |
+
 
-If you would rather build your project yourself, use the generators instead as explained in the next section.
+If none of these options fit your needs, use a [generator](#generators) as described below:
 
-### Provenance-only generators
+### Generators
 
-Provenance-only generators let you build your artifact, and only generate provenance for you.
-They let you meet the [provenance generation](https://slsa.dev/spec/v1.0/requirements#provenance-generation) requirements
+Generators only generate provenance for you. They let you meet the [provenance generation](https://slsa.dev/spec/v1.0/requirements#provenance-generation) requirements
 for [SLSA Build level 3](https://slsa.dev/spec/v1.0/levels).
 
 Generators create an attestation to a software artifact coming from your repository.
@@ -172,14 +173,12 @@ Generators are _not_ able to report the commands used to generate your artifact
 
 This repository hosts the following generators:
 
-1. [Generic generator SLSA Level 3](internal/builders/generic/README.md). **Status**: [available since v1.2.0](https://github.com/slsa-framework/slsa-github-generator/milestone/2).
-   This generator generates provenance for arbitrary artifacts of your choice. To use it,
-   follow the [Generic generator's README.md](internal/builders/generic/README.md).
-2. [Container generator SLSA Level 3](internal/builders/container/README.md). **Status**: [available since v1.4.0](https://github.com/slsa-framework/slsa-github-generator/milestone/3).
-   This generator will generate provenance for container images. The generated provenance will be compatible with
-   [cosign](https://github.com/sigstore/cosign)'s attestation format.
+1Artifact type |      Builder      |  Description | Status |
+|:-----------|:-----------------|:------------|:--------|
+| file | [Generic generator](internal/builders/generic/README.md) | Generates provenance for arbitrary file-based artifacts | [available since v1.2.0](https://github.com/slsa-framework/slsa-github-generator/milestone/2) |
+| container | [Container generator](internal/builders/container/README.md)   |  Generate provenance for container images. The generated provenance is compatible with    [cosign](https://github.com/sigstore/cosign)'s attestation format. | [available since v1.4.0](https://github.com/slsa-framework/slsa-github-generator/milestone/3)
 
-## Verification of provenance
+## Verify provenance
 
 To verify the provenance, use the [github.com/slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) project.
 
@@ -199,6 +198,13 @@ A command line example is provided in [slsa-framework/slsa-verifier#example](htt
 
 If you want to build your own builder, use the [BYOB framework](BYOB.md). The framework lets you create your own SLSA3 builder on GitHub. For example, you can wrap an existing GitHub Action into a SLSA3 builder. For verification, your users can use the [slsa-verifier](#verification-of-provenance).
 
+## Roadmap
+
+The project roadmap is tracked via milestones. You can track progress and open
+issues via the [milestones page](https://github.com/slsa-framework/slsa-github-generator/milestones?direction=asc&sort=due_date&state=open).
+Each milestone includes a description of what is being worked on and a rough
+timeline for completion.
+
 ## Technical design
 
 The initial technical design was described in the blog post

From 03bbc909107155bc12c15ceefbe689a0329347fa Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Wed, 2 Aug 2023 00:58:41 +0000
Subject: [PATCH 02/16] Update doc

Signed-off-by: laurentsimon <laurentsimon@google.com>
---
 README.md | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index 22b4e48083..0aabf3b8fc 100644
--- a/README.md
+++ b/README.md
@@ -92,8 +92,8 @@ While slsa-github-generator can help you achieve SLSA Build level 3, use of the
 only is not sufficient to meet all of the requirements at SLSA Build level 3.
 Specifically, these workflows do not address provenance
 [distribution](https://slsa.dev/spec/v1.0/distributing-provenance) or
-[verification](https://slsa.dev/spec/v1.0/verifying-artifacts). Those requirements
-must be handled separately to meet SLSA Build level 3+.
+[verification](https://slsa.dev/spec/v1.0/verifying-artifacts).
+You can use the [slsa-verifier](#verify-provenance) to verify the provenance.
 
 ### Hall of Fame
 
@@ -105,7 +105,7 @@ Below is a non-exhaustive list of projects that use the builders in this reposit
 
 #### Builder Creation
 
-Several builders have been built using the "Build Your Own Builder" (BYOB):
+Several builders have been built using the ["Build Your Own Builder" (BYOB) framework](#build-your-own-builder):
 
 1. [nodejs builder](https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/nodejs#readme), by @ianlewis
 2. [JReleaser builder](https://github.com/jreleaser/release-action/tree/java#slsa-builder), by @aalmiray
@@ -120,7 +120,7 @@ using a trusted / isolated re-usable workflow. You can read up on the design in
 
 To select the right option to geneate provenance for your use case, take into account the programming language and build toolchain you already use, e.g. `go`, `mvn`, `bazel`, etc. Select a [builder](#builders) for your ecosystem.
 For example, if you use `Go`, use the [Go builder](internal/builders/go/README.md). If you use Java and build Maven packages, use the [Maven builder](internal/builders/maven/README.md), and so on.
-If your release scripts are more complex than what the builder supports; or if you do not wish to change your build pipeline, use a [generator](#generators) instead.
+If your release scripts are more complex than what the builder supports; or if there is no builder for your ecosystem, use a [generator](#generators) instead.
 
 ### Referencing SLSA builders and generators
 
@@ -169,13 +169,11 @@ for [SLSA Build level 3](https://slsa.dev/spec/v1.0/levels).
 
 Generators create an attestation to a software artifact coming from your repository.
 
-Generators are _not_ able to report the commands used to generate your artifact in the provenance.
-
 This repository hosts the following generators:
 
-1Artifact type |      Builder      |  Description | Status |
-|:-----------|:-----------------|:------------|:--------|
-| file | [Generic generator](internal/builders/generic/README.md) | Generates provenance for arbitrary file-based artifacts | [available since v1.2.0](https://github.com/slsa-framework/slsa-github-generator/milestone/2) |
+| Artifact type |      Generator    |  Description | Status |
+|:--------------|:------------------|:-------------|:-------|
+| file | [Generic generator](internal/builders/generic/README.md) | Generates provenance for arbitrary file-based artifacts, for any ecosystem and programming language | [available since v1.2.0](https://github.com/slsa-framework/slsa-github-generator/milestone/2) |
 | container | [Container generator](internal/builders/container/README.md)   |  Generate provenance for container images. The generated provenance is compatible with    [cosign](https://github.com/sigstore/cosign)'s attestation format. | [available since v1.4.0](https://github.com/slsa-framework/slsa-github-generator/milestone/3)
 
 ## Verify provenance

From 036b1b644dceee64b28bf076a4845607a9b2cda4 Mon Sep 17 00:00:00 2001
From: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Date: Wed, 2 Aug 2023 09:58:45 -0700
Subject: [PATCH 03/16] Update README.md

Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 0aabf3b8fc..62a84aee18 100644
--- a/README.md
+++ b/README.md
@@ -38,7 +38,7 @@
 
 ## Overview
 
-This repository contains free tools to generate and verify SLSA3+ provenance for native GitHub projects using GitHub Actions.
+This repository contains free tools to generate and verify SLSA Build Level 3 provenance for native GitHub projects using GitHub Actions.
 Developers can build their software using a secure process that protects against many supply chain attacks and tampering.
 Users of their software can verify a tamper-proof statement of the process to know how the software was created.
 

From 4a2475228001aece58903e18e9c0823b150b7883 Mon Sep 17 00:00:00 2001
From: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Date: Wed, 2 Aug 2023 09:58:55 -0700
Subject: [PATCH 04/16] Update README.md

Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 62a84aee18..bd1c76ac91 100644
--- a/README.md
+++ b/README.md
@@ -28,7 +28,7 @@
   - [Inputs](#inputs)
   - [Command line examples](#command-line-examples)
 - [Build Your Own Builder](#build-your-own-builder)
-- [Roadmap](#roadmap)
+- [Project Roadmap](#project-roadmap)
 - [Technical design](#technical-design)
   - [Specifications](#specifications)
   - [Provenance format](#provenance-format)

From 01c96e5ced662ab9d2fff9e9ac72fdfc4ff64d0c Mon Sep 17 00:00:00 2001
From: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Date: Wed, 2 Aug 2023 09:59:01 -0700
Subject: [PATCH 05/16] Update README.md

Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index bd1c76ac91..0287b4a950 100644
--- a/README.md
+++ b/README.md
@@ -196,7 +196,7 @@ A command line example is provided in [slsa-framework/slsa-verifier#example](htt
 
 If you want to build your own builder, use the [BYOB framework](BYOB.md). The framework lets you create your own SLSA3 builder on GitHub. For example, you can wrap an existing GitHub Action into a SLSA3 builder. For verification, your users can use the [slsa-verifier](#verification-of-provenance).
 
-## Roadmap
+## Project Roadmap
 
 The project roadmap is tracked via milestones. You can track progress and open
 issues via the [milestones page](https://github.com/slsa-framework/slsa-github-generator/milestones?direction=asc&sort=due_date&state=open).

From 8802ba6b25c52a7f1c5e2cde7cfde474907eaaa0 Mon Sep 17 00:00:00 2001
From: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Date: Wed, 2 Aug 2023 09:59:10 -0700
Subject: [PATCH 06/16] Update README.md

Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 0287b4a950..f164cc2e3e 100644
--- a/README.md
+++ b/README.md
@@ -145,7 +145,7 @@ This repository hosts the following builders:
 | Ecosystem |      Builder      |  Description | Status |
 |:-----------|:-----------------|:------------|:--------|
 | [Go](https://go.dev/) projects | [Go Builder](internal/builders/go/README.md) | Builds and generates provenance for Go projects | [available since v1.0.0](https://github.com/slsa-framework/slsa-github-generator/milestone/1) |
-| [nodejs](https://nodejs.org) projects | [Node.js Builder](internal/builders/nodejs/README.md)   |  Builds and generates provenance for npm packages | [Beta since v1.6.0](https://github.com/slsa-framework/slsa-github-generator/milestone/8). [Expected GA release Sept 2023](https://github.com/slsa-framework/slsa-github-generator/milestone/17)
+| [Node.js](https://nodejs.org) projects | [Node.js Builder](internal/builders/nodejs/README.md)   |  Builds and generates provenance for npm packages | [Beta since v1.6.0](https://github.com/slsa-framework/slsa-github-generator/milestone/8). [Expected GA release Sept 2023](https://github.com/slsa-framework/slsa-github-generator/milestone/17)
 | [Maven](https://maven.apache.org/) projects | [Maven builder](internal/builders/maven/README.md) | Build Maven packages and generates provenance. Can be uploaded to [Maven central](https://search.maven.org) | [Beta since v1.8.0](https://github.com/slsa-framework/slsa-github-generator/milestone/14) |
 | [Gradle](https://gradle.org/) projects | [Gradle builder](internal/builders/gradle/README.md) | Build Gradle projects and generates provenance. Can be uploaded to [Maven central](https://search.maven.org) | [Beta since v1.8.0](https://github.com/slsa-framework/slsa-github-generator/milestone/15) |
 | [JReleaser](https://jreleaser.org/) projects | [JReleaser builder](https://github.com/jreleaser/release-action/tree/java#slsa-builder) | Builds and generates provenance using [JReleaser](https://jreleaser.org/) | [Beta since v1.8.0](https://github.com/slsa-framework/slsa-github-generator/milestone/16) |

From e0fd0ef8d715ea77729d5203b23f11996b09f03d Mon Sep 17 00:00:00 2001
From: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Date: Wed, 2 Aug 2023 09:59:21 -0700
Subject: [PATCH 07/16] Update README.md

Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
---
 README.md | 1 -
 1 file changed, 1 deletion(-)

diff --git a/README.md b/README.md
index f164cc2e3e..190a416467 100644
--- a/README.md
+++ b/README.md
@@ -148,7 +148,6 @@ This repository hosts the following builders:
 | [Node.js](https://nodejs.org) projects | [Node.js Builder](internal/builders/nodejs/README.md)   |  Builds and generates provenance for npm packages | [Beta since v1.6.0](https://github.com/slsa-framework/slsa-github-generator/milestone/8). [Expected GA release Sept 2023](https://github.com/slsa-framework/slsa-github-generator/milestone/17)
 | [Maven](https://maven.apache.org/) projects | [Maven builder](internal/builders/maven/README.md) | Build Maven packages and generates provenance. Can be uploaded to [Maven central](https://search.maven.org) | [Beta since v1.8.0](https://github.com/slsa-framework/slsa-github-generator/milestone/14) |
 | [Gradle](https://gradle.org/) projects | [Gradle builder](internal/builders/gradle/README.md) | Build Gradle projects and generates provenance. Can be uploaded to [Maven central](https://search.maven.org) | [Beta since v1.8.0](https://github.com/slsa-framework/slsa-github-generator/milestone/15) |
-| [JReleaser](https://jreleaser.org/) projects | [JReleaser builder](https://github.com/jreleaser/release-action/tree/java#slsa-builder) | Builds and generates provenance using [JReleaser](https://jreleaser.org/) | [Beta since v1.8.0](https://github.com/slsa-framework/slsa-github-generator/milestone/16) |
 | [Bazel](https://bazel.build/) projects | [Bazel builder](internal/builders/bazel/README.md) | Builds [Bazel](https://bazel.build/) projects and generates provenance | [Beta release August 2023](https://github.com/slsa-framework/slsa-github-generator/milestone/16) |
 | [docker](https://www.docker.com/) images | Container Builder | Builds docker containers and generates provenance. The generated provenance is compatible with [cosign](https://github.com/sigstore/cosign)'s attestation format | [WIP](https://github.com/slsa-framework/slsa-github-generator/milestone/5)  |
 | Any | [Container-based Builder](internal/builders/docker/README.md) | Builds projects whose build pipeline is defined with a Dockerfile | [Beta since v1.7.0](https://github.com/slsa-framework/slsa-github-generator/milestone/16) |

From b6bdb4d4e6942148b5481ff1e4071cfbd3d367de Mon Sep 17 00:00:00 2001
From: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Date: Wed, 2 Aug 2023 10:00:03 -0700
Subject: [PATCH 08/16] Update README.md

Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 190a416467..bb911253a2 100644
--- a/README.md
+++ b/README.md
@@ -172,7 +172,7 @@ This repository hosts the following generators:
 
 | Artifact type |      Generator    |  Description | Status |
 |:--------------|:------------------|:-------------|:-------|
-| file | [Generic generator](internal/builders/generic/README.md) | Generates provenance for arbitrary file-based artifacts, for any ecosystem and programming language | [available since v1.2.0](https://github.com/slsa-framework/slsa-github-generator/milestone/2) |
+| file (binary, package tarball etc.) | [Generic generator](internal/builders/generic/README.md) | Generates provenance for arbitrary file-based artifacts, for any ecosystem and programming language | [available since v1.2.0](https://github.com/slsa-framework/slsa-github-generator/milestone/2) |
 | container | [Container generator](internal/builders/container/README.md)   |  Generate provenance for container images. The generated provenance is compatible with    [cosign](https://github.com/sigstore/cosign)'s attestation format. | [available since v1.4.0](https://github.com/slsa-framework/slsa-github-generator/milestone/3)
 
 ## Verify provenance

From 2fa8781713d0e92587ddee4418762e18e63c206a Mon Sep 17 00:00:00 2001
From: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Date: Wed, 2 Aug 2023 10:00:43 -0700
Subject: [PATCH 09/16] Update README.md

Co-authored-by: olivekl <83081275+olivekl@users.noreply.github.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index bb911253a2..9f58f18b0b 100644
--- a/README.md
+++ b/README.md
@@ -44,7 +44,7 @@ Users of their software can verify a tamper-proof statement of the process to kn
 
 ### What is SLSA?
 
-[Supply chain Levels for Software Artifacts](https://slsa.dev), or SLSA (salsa),
+[Supply-chain Levels for Software Artifacts](https://slsa.dev), or SLSA (salsa),
 is a security framework, a check-list of standards and controls to prevent
 tampering, improve integrity, and secure packages and infrastructure in your
 projects, businesses or enterprises.

From 08ac2fcd3d1b3539ca2f3d0ced4970ae634bae83 Mon Sep 17 00:00:00 2001
From: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Date: Wed, 2 Aug 2023 10:00:49 -0700
Subject: [PATCH 10/16] Update README.md

Co-authored-by: olivekl <83081275+olivekl@users.noreply.github.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 9f58f18b0b..d7f2244e15 100644
--- a/README.md
+++ b/README.md
@@ -120,7 +120,7 @@ using a trusted / isolated re-usable workflow. You can read up on the design in
 
 To select the right option to geneate provenance for your use case, take into account the programming language and build toolchain you already use, e.g. `go`, `mvn`, `bazel`, etc. Select a [builder](#builders) for your ecosystem.
 For example, if you use `Go`, use the [Go builder](internal/builders/go/README.md). If you use Java and build Maven packages, use the [Maven builder](internal/builders/maven/README.md), and so on.
-If your release scripts are more complex than what the builder supports; or if there is no builder for your ecosystem, use a [generator](#generators) instead.
+If your release scripts are more complex than what the builder supports; or if there is no builder for your ecosystem, use a provenance [generator](#generators) instead.
 
 ### Referencing SLSA builders and generators
 

From a96ad7998d240dc119bd246ff1ba30355a29941a Mon Sep 17 00:00:00 2001
From: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Date: Wed, 2 Aug 2023 10:01:02 -0700
Subject: [PATCH 11/16] Update README.md

Co-authored-by: olivekl <83081275+olivekl@users.noreply.github.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index d7f2244e15..bf3d8a2836 100644
--- a/README.md
+++ b/README.md
@@ -193,7 +193,7 @@ A command line example is provided in [slsa-framework/slsa-verifier#example](htt
 
 ## Build Your Own Builder
 
-If you want to build your own builder, use the [BYOB framework](BYOB.md). The framework lets you create your own SLSA3 builder on GitHub. For example, you can wrap an existing GitHub Action into a SLSA3 builder. For verification, your users can use the [slsa-verifier](#verification-of-provenance).
+Use the [BYOB framework](BYOB.md) to create your own SLSA3 builder on GitHub. If you have an existing GitHub Action, you can use the BYOB framework to wrap it into a SLSA3 builder. This will harden the build process to meet Build Level 3 expectations and produce Build Level 3 provenance.  To verify the provenance, your users can use the [slsa-verifier](#verification-of-provenance).
 
 ## Project Roadmap
 

From 67b9f9f31b2b95f957ddfa29e089f124c02de29e Mon Sep 17 00:00:00 2001
From: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Date: Wed, 2 Aug 2023 10:01:12 -0700
Subject: [PATCH 12/16] Update README.md

Co-authored-by: olivekl <83081275+olivekl@users.noreply.github.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index bf3d8a2836..fa8c8a6f71 100644
--- a/README.md
+++ b/README.md
@@ -177,7 +177,7 @@ This repository hosts the following generators:
 
 ## Verify provenance
 
-To verify the provenance, use the [github.com/slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) project.
+To verify provenance created by any of the builders in this repository, use the [github.com/slsa-framework/slsa-verifier](https://github.com/slsa-framework/slsa-verifier) project.
 
 ### Installation
 

From 9ed80394be4b67fcdef50b4f7f9d831af1f1ba82 Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Wed, 2 Aug 2023 17:06:07 +0000
Subject: [PATCH 13/16] comments

Signed-off-by: laurentsimon <laurentsimon@google.com>
---
 README.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/README.md b/README.md
index fa8c8a6f71..f8b5394300 100644
--- a/README.md
+++ b/README.md
@@ -158,12 +158,11 @@ There are other available builders using this repository's [BYOB framework](#bui
 |:-----------|:-----------------|:------------|:--------|
 | [JReleaser](https://jreleaser.org/) projects | [JReleaser builder](https://github.com/jreleaser/release-action/tree/java#slsa-builder) | Builds and generates provenance using [JReleaser](https://jreleaser.org/) | [Beta since v1.8.0](https://github.com/slsa-framework/slsa-github-generator/milestone/16) |
 
-
 If none of these options fit your needs, use a [generator](#generators) as described below:
 
 ### Generators
 
-Generators only generate provenance for you. They let you meet the [provenance generation](https://slsa.dev/spec/v1.0/requirements#provenance-generation) requirements
+Generators only generate provenance for you.
 for [SLSA Build level 3](https://slsa.dev/spec/v1.0/levels).
 
 Generators create an attestation to a software artifact coming from your repository.

From dd9d1fc96c75629dc0b8e8f9ef9cc68aff14433f Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Wed, 2 Aug 2023 17:09:44 +0000
Subject: [PATCH 14/16] Fix regex

Signed-off-by: laurentsimon <laurentsimon@google.com>
---
 README.md | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index f8b5394300..be2b491add 100644
--- a/README.md
+++ b/README.md
@@ -119,7 +119,7 @@ Below we describe the various [builders](#builders) and [generators](#generators
 using a trusted / isolated re-usable workflow. You can read up on the design in our [technical design document](#technical-design).
 
 To select the right option to geneate provenance for your use case, take into account the programming language and build toolchain you already use, e.g. `go`, `mvn`, `bazel`, etc. Select a [builder](#builders) for your ecosystem.
-For example, if you use `Go`, use the [Go builder](internal/builders/go/README.md). If you use Java and build Maven packages, use the [Maven builder](internal/builders/maven/README.md), and so on.
+For example, if you use Go, use the [Go builder](internal/builders/go/README.md). If you use Java and build Maven packages, use the [Maven builder](internal/builders/maven/README.md), and so on.
 If your release scripts are more complex than what the builder supports; or if there is no builder for your ecosystem, use a provenance [generator](#generators) instead.
 
 ### Referencing SLSA builders and generators
@@ -135,7 +135,7 @@ For guidance on how to configure renovate see [RENOVATE.md](RENOVATE.md).
 
 ### Builders
 
-Build platforms build and generate provenance. They let you meet the
+Builders build and generate provenance. They let you meet the
 [provenance generation](https://slsa.dev/spec/v1.0/requirements#provenance-generation) and
 [isolation strength](https://slsa.dev/spec/v1.0/requirements#isolation-strength)
 requirements for [SLSA Build level 3 and above](https://slsa.dev/spec/v1.0/levels).
@@ -162,8 +162,10 @@ If none of these options fit your needs, use a [generator](#generators) as descr
 
 ### Generators
 
-Generators only generate provenance for you.
-for [SLSA Build level 3](https://slsa.dev/spec/v1.0/levels).
+Generators only generate provenance for you. They let you meet the
+[provenance generation](https://slsa.dev/spec/v1.0/requirements#provenance-generation) and
+[isolation strength](https://slsa.dev/spec/v1.0/requirements#isolation-strength)
+requirements for [SLSA Build level 3 and above](https://slsa.dev/spec/v1.0/levels).
 
 Generators create an attestation to a software artifact coming from your repository.
 

From 5754921dabc9ffaa1cfd51ed88f137d21ea8f802 Mon Sep 17 00:00:00 2001
From: laurentsimon <laurentsimon@google.com>
Date: Wed, 2 Aug 2023 17:11:20 +0000
Subject: [PATCH 15/16] updates

Signed-off-by: laurentsimon <laurentsimon@google.com>
---
 README.md | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index be2b491add..d09a6b33bf 100644
--- a/README.md
+++ b/README.md
@@ -194,7 +194,9 @@ A command line example is provided in [slsa-framework/slsa-verifier#example](htt
 
 ## Build Your Own Builder
 
-Use the [BYOB framework](BYOB.md) to create your own SLSA3 builder on GitHub. If you have an existing GitHub Action, you can use the BYOB framework to wrap it into a SLSA3 builder. This will harden the build process to meet Build Level 3 expectations and produce Build Level 3 provenance.  To verify the provenance, your users can use the [slsa-verifier](#verification-of-provenance).
+Use the [BYOB framework](BYOB.md) to create your own SLSA3 builder on GitHub. If you have an existing GitHub Action, you can use the BYOB framework to wrap it into a SLSA3 builder.
+This will harden the build process by runing the Action in an isolated environment. Generated artifacts will meet Build Level 3 expectations and produce Build Level 3 provenance.
+To verify the provenance, your users can use the [slsa-verifier](#verification-of-provenance).
 
 ## Project Roadmap
 

From 1a56547198a46c74fedfb7bef887a2a30740a2c7 Mon Sep 17 00:00:00 2001
From: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
Date: Wed, 2 Aug 2023 10:19:19 -0700
Subject: [PATCH 16/16] Update README.md

Co-authored-by: kpk47 <1079282+kpk47@users.noreply.github.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index d09a6b33bf..0fd893d2ea 100644
--- a/README.md
+++ b/README.md
@@ -194,7 +194,7 @@ A command line example is provided in [slsa-framework/slsa-verifier#example](htt
 
 ## Build Your Own Builder
 
-Use the [BYOB framework](BYOB.md) to create your own SLSA3 builder on GitHub. If you have an existing GitHub Action, you can use the BYOB framework to wrap it into a SLSA3 builder.
+Use the [BYOB framework](BYOB.md) to create your own SLSA builder on GitHub. If you have an existing GitHub Action, you can use the BYOB framework to wrap it into a SLSA builder.
 This will harden the build process by runing the Action in an isolated environment. Generated artifacts will meet Build Level 3 expectations and produce Build Level 3 provenance.
 To verify the provenance, your users can use the [slsa-verifier](#verification-of-provenance).