Any plan to support other platforms?

[wenhao2017]

trafficstars

Hi, folks.

Now generator only supports github.

Do we have any plans to support other platforms? such as gitlab, gitee

[laurentsimon]

Hi @wenhao2017 currently this project is focused on GitHub for the time being. We do have the sister project for verification https://github.com/slsa-framework/slsa-verifier where we'd be interested in supporting verification for more CI platforms.

[ianlewis]

I'll also just add that our work here depends on some key API primatives that GitHub Actions hosted runners provides for us: jobs that run in separate VMs which allows us to separate "untrusted" builds from the "trusted" SLSA provenance generation.

If other platforms supported something like that we could look into supporting them in a similar way to how we support GitHub Actions (though I suspect it would need to be a completely separate project). Right now most other CI platforms don't really have a similar solution that we can build on.

Here are a few other links to GitLab related SLSA work that is ongoing:

• GitLab CI provenance for npm: https://github.com/npm/cli/issues/6373
• GitLab Supply Chain security working group: https://about.gitlab.com/company/team/structure/working-groups/software-supply-chain-security/

[reneleonhardt]

Here are a few other links to GitLab related SLSA work that is ongoing:

* GitLab CI provenance for npm: [(libnpmpublish) GitLab CI provenance npm/cli#6373](https://github.com/npm/cli/issues/6373)

Released in npm 6.7.2 https://github.com/npm/cli/pull/6526

[ianlewis]

Released in npm 6.7.2 npm/cli#6526

I think you mean npm 9.7.2

[laurentsimon]

We do have planes to support verification in https://github.com/slsa-framework/slsa-verifier/issues/593

[reneleonhardt]

Released in npm 6.7.2 npm/cli#6526

I think you mean npm 9.7.2

lol yeah, copy paste for the win, still better than typos or a dreaming ChatBot with 2 years old version numbers 🙈 😆