slsa-github-generator
slsa-github-generator copied to clipboard
slsa-framework
Remove Dockerfile from detect-workflow action
See https://github.com/slsa-framework/slsa-github-generator/pull/35/files#r858908103
Something to try.
Isn't it actually better to have all the hashes explicitly baked in the Docker image though? It seems that relying on github actions would make it harder to track down exactly which versions are being used. GH actions are also basically impossible to run locally, while it's trivial to run a docker container locally that would execute exactly the same steps that CI would also run.
From that angle, I think you're right. Actions can be pinned by hash, so I guess we'd need to check how setup-go works under the hood and make sure it does pin what it downloads :-) That may be a good exercise in itself to see if it's do-able in general.
But I suspect Docker is easier :-)
Thanks for chiming in!
I think we should re-write detect-workflow to TypeScript since it's essentially building a Docker image each run just so we can make a single HTTP request. We can speed it up a lot by re-writing it to a JavaScript action.
Note that once we have released the generic container workflow, we can improve speed by using a container-based Action, like https://github.com/ossf/scorecard-action/blob/main/action.yaml#L54-L56.
For transparency, we can keep the SLSA attestation in the repository and add pre-submit that the hash of the attestation is the same as the one used by the action's container. We could later use the slsa-verifier when it's ready.
Not saying we cannot use TS long-term, but if speed is the main issue now, we can use the suggestion above instead.
Wdut?
Note that once we have released the generic container workflow, we can improve speed by using a container-based Action, like https://github.com/ossf/scorecard-action/blob/main/action.yaml#L54-L56.
Yeah, that's one way to do it. It's a bit more work to set up a place to store the images and the CI for it, but we could probably just use GHA/ghcr.io for that.