Ramon Petgrave
Ramon Petgrave
reopening, since `(n *Npm) verifiedProvenanceBytes()` is not yet implemented. https://github.com/slsa-framework/slsa-verifier/blob/18c5f13b3ecdf5b79db7448291d3c5aa67683157/verifiers/internal/gha/npm.go#L224-L229
fix pending in #768 https://github.com/slsa-framework/slsa-verifier/pull/768#discussion_r1662938115
@Danil-Grigorev Were you able to test this in any way, perhaps on your own fork?
We have not done a full evaluation yet. But for now, we know that Github's Action is meant to be at L2, while our slsa-framework's Workflows are at L3. -...
@behnazh-w Re: 2, Github's Artifact Attestation is not yet supported in slsa-verifier, and there may be some disagreement or misunderstanding about whether it is SLSA provenance or not.
@behnazh-w Here's an active discussion about a separate issue: https://github.com/cli/cli/issues/9602#issuecomment-2396377920
Followup to remove the CLA check?
Thanks @TomHennen. To help, I have some additional questions. Which aspects are transparency were you looking for? Publishing the build event and signing event to a public log like Rekor?...
@ianlewis @laurentsimon
@ianlewis not for pre-submits, or `pull_request` events, but for `push` events, since id-token isn't available for PRs. And so far it seems not yet nresolved. - https://github.com/slsa-framework/slsa-github-generator/issues/131 So I might...