slsa-github-generator

slsa-github-generator copied to clipboard

[bug] Tests exit successfully even if unit tests fail

4

**Describe the bug** The golang builder makes an [Exec syscall directly](https://github.com/slsa-framework/slsa-github-generator/blob/c565ad10f0c2efdc6fcc8fe55b52845f85014dfa/internal/builders/go/pkg/build.go#L164). This causes tests that call `GoBuild.Run` to cause the test runner to exit prematurely as the original test runner's...

ianlewis

[feature] Support offline attestation verification: .sigstore file or persisted SET

1

This is a tracking issue and discussion for whether we should move to support the proposed Sigstore's attestation blob format when it is implemented See https://docs.google.com/document/d/1gucjOA_bGyRjK6TeaOI-X5GIUv8WsPzeMDMkq25Kv4Y/edit#heading=h.we5fqok7jai5 https://github.com/sigstore/cosign/issues/2131 **Describe the solution...

asraa

[bug] Problem using SLSA3+ provenance generator for arbitrary projects

16

**Describe the bug** I am following the instructions [for using generator_generic_slsa3](https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md) to generate provenances for Oak. The call to the workflow fails with the following error: ``` Run ./.github/actions/generate-builder/generate-builder.sh /home/runner/work/_temp/9c89bedb-16a3-4329-be6c-a854f00c4572.sh:...

rbehjati

[bug] Certificates signed by unknown authority

2

**Describe the bug** A clear and concise description of what the bug is. The `verify` job is failing with the following error: ``` $ go run . -artifact-path ~/Downloads/binary-linux-amd64 -provenance...

asraa

[feature] bring your own builder

35

it may be a useful component for others to create provenance with the same format across GH builders. See https://github.com/sigstore/fulcio/issues/754#issuecomment-1227505585

laurentsimon

[bug] Pinning slsa-github-generator to a commit doesn't work

1

**Describe the bug** When the reusable workflow `generator_generic_slsa3.yml` is pinned to a commit (as is recommended by Scorecard) it fails with the following message: ``` Run ./.github/actions/generate-builder/generate-builder.sh ./.github/actions/generate-builder/generate-builder.sh shell: /usr/bin/bash...

sethmlarson

[](https://renovatebot.com) This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [github.com/sigstore/sigstore](https://togithub.com/sigstore/sigstore) | require | minor | `v1.3.1` -> `v1.4.0` | ---...

renovate-bot

[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [eslint](https://eslint.org) ([source](https://togithub.com/eslint/eslint)) | [`8.20.0` -> `8.23.0`](https://renovatebot.com/diffs/npm/eslint/8.20.0/8.23.0) |...

renovate-bot

Discussion: Use a Docker image for building binaries/files prior to generating SLSA provenances

33

Follow-up discussion about the idea of using a Docker image as the builder/releaser, as we have in project Oak. In [project Oak](https://github.com/project-oak/oak), and as part of our [transparent-release](https://github.com/project-oak/transparent-release) work, we...

rbehjati

[feature] Add a release URL to builders and generators for uploading assets

5

**Is your feature request related to a problem? Please describe.** A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] **Describe the solution you'd...

asraa