laurentsimon
laurentsimon
The current Action https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/gradle/publish/action.yml - checkout the repo https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/gradle/publish/action.yml#L37, which should not be necessary - expects the attestations to be in a specific folder https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/gradle/publish/action.yml#L59 - don't download the provenance...
Other builders use gitCommit.
Currently not verified. No security implications afaict. The Action is run in its own VM
Do that for: - the BYOB's large-subject artifact - all the use cases of geekyeggo/delete-artifact in delegator and container-based builder We shoudl be able to write a script and use...
This will add: - [ ] pre-submit with a non-signed attestations - [ ] daily runs
As part of the BYOB feature, we want to help TRW authors keep their code reliable and prevent it from breaking. This issue provides a wish list about *what* features...
We need to add `source` for our BYOB builders. In https://slsa.dev/provenance/v1 "Migrating from 0.2": ```json "source": old.invocation.configSource.uri, ``` which seems to indicate that source is a URI of type string....
In the v1.0, we may leave ``` workflow: { ref: rawTokenObj.github.ref, repository: rawTokenObj.github.repository, path: getWorkflowPath(rawTokenObj.github), }, ``` blank, because: 1. The interface to our builder has nothing to do with...
Besides vars and inputs, there are other objects to populate based on the event type, see https://github.com/slsa-framework/slsa/blob/main/docs/github-actions-workflow/v1-rc1.md
Reusable workflows now support matrix https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-a-matrix-strategy-with-a-reusable-workflow We need to add support for BYOB: - how can TRW writers use this feature - add support in the SLSA token - how...