chore: address PR feedback

benmss · benmss · commit 8178a1d6e401 · 2025-03-11T09:15:33.000+10:00
Signed-off-by: Ben Selwyn-Smith &lt;benselwynsmith@googlemail.com&gt;
diff --git a/docs/source/pages/tutorials/npm_provenance.rst b/docs/source/pages/tutorials/npm_provenance.rst
@@ -52,7 +52,7 @@ During this analysis, Macaron will retrieve two provenance files from the npm re
 
 .. note:: Most of the details from the two provenance files can be found through the links provided on the artifacts page on the npm website. In particular: `Sigstore Rekor <https://search.sigstore.dev/?logIndex=92391688>`_. The provenance file itself can be found at: `npm registry <https://registry.npmjs.org/-/npm/v1/attestations/semver@7.6.2>`_.
 
-Of course to reliably say the above does what is claimed here, proof is needed. For this we can rely on the check results produced from the analysis run. In particular, we want to know the results of three checks: ``mcn_provenance_derived_repo_1``, ``mcn_provenance_derived_commit_1``, and ``mcn_provenance_verified_1``. The first two to ensure that the commit and the repository being analyzed match those found in the provenance file, and the last check to ensure that the provenance file has been verified. In order for the third of these three checks to succeed, we must tell Macaron to perform provenance verification via the ``--verify provenance`` command line argument, as shown above. This is disable by default as it can be quite time consuming in some cases.
+Of course to reliably say the above does what is claimed here, proof is needed. For this we can rely on the check results produced from the analysis run. In particular, we want to know the results of three checks: ``mcn_provenance_derived_repo_1``, ``mcn_provenance_derived_commit_1``, and ``mcn_provenance_verified_1``. The first two to ensure that the commit and the repository being analyzed match those found in the provenance file, and the last check to ensure that the provenance file has been verified. For the third check to succeed, you need to enable provenance verification in Macaron by using the ``--verify-provenance`` command-line argument, as demonstrated above. This verification is disabled by default because it can be slow in some cases due to I/O-bound operations.
 
 .. _fig_semver_7.6.2_report:
 
diff --git a/src/macaron/provenance/provenance_verifier.py b/src/macaron/provenance/provenance_verifier.py
@@ -16,7 +16,7 @@
 
 from macaron.config.defaults import defaults
 from macaron.config.global_config import global_config
-from macaron.provenance.provenance_extractor import ProvenancePredicate
+from macaron.provenance.provenance_extractor import ProvenancePredicate, SLSAGithubGenericBuildDefinitionV01
 from macaron.repo_finder.commit_finder import AbstractPurlType, determine_abstract_purl_type
 from macaron.slsa_analyzer.analyze_context import AnalyzeContext
 from macaron.slsa_analyzer.asset import AssetLocator
@@ -386,7 +386,7 @@ def determine_provenance_slsa_level(
     if predicate:
         build_type = ProvenancePredicate.get_build_type(provenance_payload.statement)
 
-    if build_type == "https://github.com/slsa-framework/slsa-github-generator/generic@v1" and verified_l3:
+    if build_type in {SLSAGithubGenericBuildDefinitionV01.expected_build_type} and verified_l3:
         # 3. Provenance is created by the SLSA GitHub generator and verified.
         return 3
 
