Installation

Install from GitHub Releases

  1. $ VERSION=TODO # choose the latest version
  2. $ OS=Linux     # or Darwin
  3. $ ARCH=x86_64  # or arm64, i386, s390x

We generate SLSA3 provenance using the OpenSSF’s slsa-framework/slsa-github-generator. To verify our release, install the verification tool from slsa-framework/slsa-verifier#installation and verify as follows:

  1. $ curl -sL "https://github.com/ko-build/ko/releases/download/v${VERSION}/ko_${VERSION}_${OS}_${ARCH}.tar.gz" > ko.tar.gz
  2. $ curl -sL https://github.com/ko-build/ko/releases/download/v${VERSION}/attestation.intoto.jsonl > provenance.intoto.jsonl
  3. $ slsa-verifier -artifact-path ko.tar.gz -provenance provenance.intoto.jsonl -source github.com/google/ko -tag "v${VERSION}"
  4.   PASSED: Verified SLSA provenance
  1. $ tar xzf ko.tar.gz ko
  2. $ chmod +x ./ko

Install using Homebrew

  1. brew install ko

Install on Alpine Linux

Installation on Alpine requires using the testing repository

  1. echo https://dl-cdn.alpinelinux.org/alpine/edge/testing/ >> /etc/apk/repositories
  2. apk update
  3. apk add ko

Build and Install from source

With Go 1.16+, build and install the latest released version:

  1. go install github.com/google/ko@latest

Setup on GitHub Actions

You can use the setup-ko action to install ko and setup auth to GitHub Container Registry in a GitHub Action workflow:

  1. steps:
  2. - uses: imjasonh/setup-ko@v0.4