slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

Create an -installer action to invoke in reusable workflows

Open asraa opened this issue 3 years ago • 5 comments
trafficstars

asraa avatar Apr 07 '22 19:04 asraa

How can we also augment the provenance for custom info if they want to use this in a particular ecosystem?

Maybe there are paritcular fields that people want to pass in. Let's keep this tool to be github information specific. maybe buildConfig? idk?

asraa avatar Apr 07 '22 19:04 asraa

I might be missing some context for this. What do you mean by "-installer action"? Do you mean something like the setup-X actions (setup-go etc.) that installs the slsa-github-generator binary in to a job's workspace?

ianlewis avatar Apr 08 '22 01:04 ianlewis

Exactly that!

Sorry, context was that cosign has an action called cosign-installer that installs the binary into the workspace to use cosign CLI.

asraa avatar Apr 08 '22 01:04 asraa

Ok, cool! Do you have an idea for a specific use-case for this?

I kind of imagined that it would be more flexible for ecosystem builders to consume this as a Go API, but I can understand how some of them wouldn't want to implement a builder in Go, and would rather do it using their own language specific tools + a maybe a CLI provided by this repo?

What gives me pause is that it gets a bit difficult trying to support all the various SLSA fields via a CLI, but I'm sure it's possible.

ianlewis avatar Apr 08 '22 02:04 ianlewis

I think this is mostly covered by the generate-builder action that we reuse in our workflows. https://github.com/slsa-framework/slsa-github-generator/tree/main/.github/actions/generate-builder

Do we need anything more?

ianlewis avatar Jul 22 '22 11:07 ianlewis