slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

[feature][byob] Re-visit workflow structure

Open laurentsimon opened this issue 2 years ago • 2 comments
trafficstars

In the v1.0, we may leave

 workflow: {
          ref: rawTokenObj.github.ref,
          repository: rawTokenObj.github.repository,
          path: getWorkflowPath(rawTokenObj.github),
        },

blank, because:

  1. The interface to our builder has nothing to do with this workflow
  2. The trigger workflow is present in the env variables anyway, in case someone wants to know about it

laurentsimon avatar Apr 28 '23 18:04 laurentsimon

/cc @asraa relevant to the discussion in https://github.com/slsa-framework/slsa-verifier/issues/610. Let's keep this usse for tracking the update to docker-based builder and the BYOB builders.

We tentatively agreed in the other issue to keep the workflow but move it under internalParameters for builders. Generators will need to keep the workflow in externalParameters. Probably we need a new bool input to the verify-token indicating if the call is for a generator or a builder.

laurentsimon avatar May 23 '23 16:05 laurentsimon

Given that there's already GITHUB_WORKFLOW_REF recorded in the internalParameters, I think we can drop the workflow entirely if it's a builder.

laurentsimon avatar May 23 '23 17:05 laurentsimon