slsa-github-generator
slsa-github-generator copied to clipboard
slsa-framework
Language-agnostic SLSA provenance generation for Github Actions
Currently the `directory` input checks that it's a sub-directory of `GITHUB_WORKSPACE` but it should also allow `/tmp` and `RUNNER_TEMP` to be used as well.
We also need to update the doc @AdamKorcz assigning to you.
**Is your feature request related to a problem? Please describe.** No, this is not a feature request related to a problem. **Describe the solution you'd like** I'd like to highlight...
See https://github.com/slsa-framework/slsa-github-generator/issues/2508 Do we want to store on Maven central to avoid checking out this repo? Can we verify provenance for it if we pull it from Maven central?
Address the comments @ianlewis left on https://github.com/slsa-framework/slsa-github-generator/commit/ffbc1e5a1af0e70584a8aad5a3529b627fa03b32
This issue tracks the development of builders for the Gradle and Maven eco systems. I suggest the builders are added to the slsa-github-generator project in the same manner as the...
The current Action https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/gradle/publish/action.yml - checkout the repo https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/gradle/publish/action.yml#L37, which should not be necessary - expects the attestations to be in a specific folder https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/gradle/publish/action.yml#L59 - don't download the provenance...
Currently, the BYOB framework does not allow configuration of the build environment beyond what is set within each respective builder. However, many different repos on Github configure the build environment...
Other builders use gitCommit.
Currently not verified. No security implications afaict. The Action is run in its own VM
Metadata
Owner
Metadata
Language-agnostic SLSA provenance generation for Github Actions