slsa-github-generator
slsa-github-generator copied to clipboard
slsa-framework
Language-agnostic SLSA provenance generation for Github Actions
Repo: https://github.com/slsa-framework/example-package/tree/main Run: https://github.com/slsa-framework/example-package/actions/runs/8304599226 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.gcb.tag.main.annotated-build.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.gcb.tag.main.annotated-build.slsa3.yml Trigger: schedule Branch: main Date: Sat Mar 16 02:14:02 UTC 2024
Repo: https://github.com/slsa-framework/example-package/tree/main Run: https://github.com/slsa-framework/example-package/actions/runs/8304584099 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.gcb.push.main.default.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.gcb.push.main.default.slsa3.yml Trigger: schedule Branch: main Date: Sat Mar 16 02:12:22 UTC 2024
Repo: https://github.com/slsa-framework/example-package/tree/branch1 Run: https://github.com/slsa-framework/example-package/actions/runs/8593196125 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.workflow_dispatch.branch1.config-ldflags.slsa3.yml Trigger: workflow_dispatch Branch: branch1 Date: Mon Apr 8 01:28:00 UTC 2024
See https://github.com/slsa-framework/slsa-github-generator/pull/3312/#issuecomment-1995315105 The secure-upload-folder Action is broken and always runs at main instead of using the PR code. I think we can solve this by doing: 1. Checkout with PR...
**Is your feature request related to a problem? Please describe.** Bazel [recommends](https://blog.bazel.build/2023/02/15/github-archive-checksum.html) publishing source code archives as release assets – and Bazel Central Registry [verifies](https://github.com/bazelbuild/bazel-central-registry/blob/main/tools/verify_stable_archives.py) stability by checking for `…/releases/download/…`...
sigstore-js is used in our internal sign-attestations Action, and we're at v1.8.0. There is a v2.x version available
[bug] SLSA generator blocking build pipelnes and unable to leverage sigstore due to cosign v2.2.2.1
**Describe the bug** @ianlewis / @haydentherapper I see that the cosign version is bumped to v2.2.3 in the master branch. Can this SLSA generator be referenced using a SHA? Is...
# Update We're putting this PR on hold until we can get an answer in - https://github.com/orgs/community/discussions/111347 # Summary Fixes #1868 Fails the generator workflows when they detect that other...
The new v1.0 specs, iiuc, no longer has a "provenance" level 3. I think this means the generators would become level 2. We could probably make them level 3 if...
Metadata
Owner
Metadata
Language-agnostic SLSA provenance generation for Github Actions