slsa-github-generator
slsa-github-generator copied to clipboard
slsa-framework
Language-agnostic SLSA provenance generation for Github Actions
Most of the examples I've seen for achieving SLSA 3 involve cosign's [keyless signing](https://github.com/sigstore/cosign/blob/main/KEYLESS.md) ability. While this is handy, involves managing no keys manually, and can result in better security,...
I'm noticing in both the generic provenance generator and the Go generator that certain fields in the `environment` object are included even if they have portions of the templated values...
To help with troubleshooting rekor, let's log the rekor UUID after upload. I'm wondering if it would help to embed the UUID as part of this proposal https://github.com/sigstore/cosign/issues/1743 /cc @asraa
This is a tracking issue for supporting `pull_request` events. Please comment regarding your use case.
Adding `id-token: write` to workflows triggered by `pull_request` events doesn't seem to be allowed. This seems a bit problematic that we would expect that folks only run our workflow when...
Goreleaser supports building containers, e.g., https://github.com/tensorchord/envd/blob/main/.goreleaser.yaml#L79
See https://goreleaser.com/customization/nfpm/
Since the provenance file (in attested format) gets uploaded, users may need to download that in another job to attach it as an attestation to an image. Making sure the...
We don't support variables like `${{.Version}}`, `${{.Branch}}`, `${{.Commit}}`, `${{.Tag}}` today, so we should add support for it
The SLSA v0.2 provenance format describes [`invocation.environment`](https://slsa.dev/provenance/v0.2#invocation.environment) as follows: > Any other builder-controlled inputs necessary for correctly evaluating the build. Usually only needed for [reproducing](https://reproducible-builds.org/) the build but not evaluated...
Metadata
Owner
Metadata
Language-agnostic SLSA provenance generation for Github Actions