slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard
verified publisher icon slsa-framework

Support for pull_request

Open ianlewis opened this issue 3 years ago • 5 comments

This is a tracking issue for supporting pull_request events. Please comment regarding your use case.

ianlewis avatar Jun 20 '22 07:06 ianlewis

Another use-case: is to test the configuration.

For example, I didn't realize that env vars are case-sensitive and ran into this problem

env variable empty or not set: {{ .Env.Version }}

because I had been using VERSION in my evaluted-envs.

See https://github.com/slsa-framework/slsa-verifier/pull/298

asraa avatar Oct 08 '22 19:10 asraa

The OpenZepplin folks mentioned that they would like support for pull requests https://github.com/OpenZeppelin/defender-client/issues/277

ianlewis avatar Jul 18 '23 02:07 ianlewis

Is there anything stopping delegator from PR events? I believe it should be able to output unsigned attestations if htere's a guard on the sign-attestations step.

asraa avatar Jul 18 '23 14:07 asraa

Right. I think signing is the biggest thing though there are some other subtle differences as well. I think we had issues with which git sha we pick up when generating the provenance? I can't exactly remember but I think detect-workflow-js already supports it: https://github.com/slsa-framework/slsa-github-generator/blob/942ce4027d93050826def3a8677d51c851419e97/.github/actions/detect-workflow-js/src/detect.ts#L84

ianlewis avatar Jul 18 '23 23:07 ianlewis

It would be nice to have id-token scoped to reflect it being issued within the context of a pull request so that artifacts generated during pull request runs such as OCI images could be uploaded to appropriately access controlled registries.

johnandersen777 avatar Sep 08 '23 15:09 johnandersen777