laurentsimon
laurentsimon
Repo: https://github.com/slsa-framework/example-package/tree/v23.0.126 Run: https://github.com/slsa-framework/example-package/actions/runs/3286950173 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.release.main.config-ldflags-assets-tag.slsa3.yml Trigger: release Branch: v23.0.126 Date: Thu Oct 20 05:06:42 UTC 2022
We need one e2e test for https://github.com/slsa-framework/slsa-github-generator/issues/880, ie to verify that a malicious artifact cannot overwrite the builder repo Let's start with pre-submits. It should be possible to checker for:...
A few internal Action need to be called with they fully fully-qualified name: ```slsa-framework/slsa-github-generator/.github/actions/[email protected]```. We need to ensure they use the same tag as the release tag for consistency. The...
We may want to provide the name of the tarball created, so that users can download it if they want to.
Let's think about whether we need to filter out certain build arguments or not, like we do for the go builder.
Let's try to upload the package tarball to GitHub release assets, in addition to publishing it.
To help users, we could try to provide more examples, e.g., with a repository pre-configured to follow these practices (https://github.com/ossf/package-manager-best-practices/pull/25#discussion_r966258313) We could also improve the text itself. /cc @olivekl @wesleytodd
Your code is not even released and here's your first issue... :-) We'd love to see your code enabled into afl++ as a special mode. Afl++ is already supported in...
**Describe the bug** The `inputs` between `workflow_call` and `workflow_dispatch` are unified (https://github.blog/changelog/2022-06-10-github-actions-inputs-unified-across-manual-and-reusable-workflows/). However, I found a corner case that seems to behave incorrectly. When a workflow runs on workflow_dispatch event...
I'm developing a GitHub action following https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#physicallocation-object The doc says the `artifactLocation.uri: If the URI is absolute, code scanning can use the URI to checkout the artifact and match up...