ko icon indicating copy to clipboard operation
ko copied to clipboard
verified publisher icon ko-build

Generate SLSA provenance for your release builds

Open laurentsimon opened this issue 3 years ago • 0 comments

Hi

I am one of the authors of the SLSA3+ builder for GitHub workflows (https://github.com/slsa-framework/slsa-github-generator projects).

We released the v1 of the SLSA3+ builder last week. It will be officially announced during the Open Source Summit next week.

We are reaching out to projects to see if they'd be interested in using it. The scorecard project has recently added support for their Linux amd64 build.

Practically speaking, adoption should be easy. The configuration file is similar to Goreleaser's, except that we support a single build for this first release. You can select an OS/Arch to generate provenance for, and disable the correpsonding build for Goreleaser using the ignore option, as explained in builders/go/README.md#migration-from-goreleaser

I have prepared https://github.com/google/ko/pull/730 to help you see what the changes are.

Feedback welcome!

/cc @asraa @ ianlewis

laurentsimon avatar Jun 14 '22 19:06 laurentsimon