slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard

[docs] Generate provenance for containers and store in ghcr.io

Open ianlewis opened this issue 3 years ago • 3 comments

ianlewis avatar Jun 24 '22 07:06 ianlewis

https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml can give some ideas.

We could start by using the cosign CLI to sign the attestation as in https://github.com/laurentsimon/slsa-github-generator-ko/blob/main/.github/workflows/slsa3-builder.yml#L414

Do we want the verifier to support verification for the GA release?

laurentsimon avatar Jun 27 '22 18:06 laurentsimon

Do we want the verifier to support verification for the GA release?

I would think so

ianlewis avatar Jun 27 '22 22:06 ianlewis

Verifier support will be handled by https://github.com/slsa-framework/slsa-verifier/issues/92

ianlewis avatar Jul 04 '22 23:07 ianlewis

The workflow itself is implemented. Closing.

ianlewis avatar Sep 22 '22 00:09 ianlewis