slsa-github-generator
slsa-github-generator copied to clipboard
slsa-framework
Language-agnostic SLSA provenance generation for Github Actions
We may want to provide the name of the tarball created, so that users can download it if they want to.
Let's think about whether we need to filter out certain build arguments or not, like we do for the go builder.
Let's try to upload the package tarball to GitHub release assets, in addition to publishing it.
# Background: For reproducibility, build steps are included in provenance `buildConfig` by some of our workflows. These build steps include information to reproduce the command, such as the working directory...
Get set the architecture for the build. Since the job that built the artifact could be using a different CPU architecture than the job running the provenance generation, this probably...
Having some examples of generating provenance for artifacts other than packages or binaries would demonstrate that the generic workflow can be used to generate provenance for files like SBOMs, sarif...
Repo: https://github.com/slsa-framework/example-package/tree/v42.0.261 Run: https://github.com/slsa-framework/example-package/actions/runs/8593555484 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.delegator-generic.release.main.default.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.delegator-generic.release.main.default.slsa3.yml Trigger: release Branch: v42.0.261 Date: Mon Apr 8 02:14:36 UTC 2024
Repo: https://github.com/slsa-framework/example-package/tree/v14.2.11 Run: https://github.com/slsa-framework/example-package/actions/runs/8595341417 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.go.tag.main.config-ldflags-noassets.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.tag.main.config-ldflags-noassets.slsa3.yml Trigger: push Branch: v14.2.11 Date: Mon Apr 8 06:11:24 UTC 2024
Repo: https://github.com/slsa-framework/example-package/tree/main Run: https://github.com/slsa-framework/example-package/actions/runs/8477833021 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.nodejs.push.main.custom_publish.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.nodejs.push.main.custom_publish.slsa3.yml Trigger: push Branch: main Date: Fri Mar 29 06:08:00 UTC 2024
Repo: https://github.com/slsa-framework/slsa-github-generator/tree/main Run: https://github.com/slsa-framework/slsa-github-generator/actions/runs/7000552196 Workflow file: https://github.com/slsa-framework/slsa-github-generator/tree/main/.github/workflows/e2e.sign-attestations.schedule.yml Workflow runs: https://github.com/slsa-framework/slsa-github-generator/actions/workflows/e2e.sign-attestations.schedule.yml Trigger: schedule Branch: main Date: Mon Nov 27 04:18:27 UTC 2023
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "github-actions[bot] avatar"){kind=avatar}
Metadata
Owner
Metadata
Language-agnostic SLSA provenance generation for Github Actions