slsa-github-generator
slsa-github-generator copied to clipboard
slsa-framework
Language-agnostic SLSA provenance generation for Github Actions
Users should be able to use pnpm to publish since it shells out to npm.
Hi, folks. Now generator only supports github. Do we have any plans to support other platforms? such as gitlab, [gitee](https://gitee.com/)
Create a GitHub Actions starter workflow for the Node.js builder workflow.
Add a pre-submit that checks if code is properly formatted. Should use the `format` Makefile target and check for differences with `git diff` similar to the [`markdown-toc` pre-submit](https://github.com/slsa-framework/slsa-github-generator/blob/4314fec3d06bb217f163b89466dcd34be65b9bf1/.github/workflows/scripts/pre-submit.markdown/markdown-toc.sh#L22).
- [ ] Add info on linters that have been added - [ ] Add info on formatting code when submitting PRs
Currently the container-based builder uses `go-cmp` for non-test code in some verification logic. Since `go-cmp` is meant to be used in tests, I think we should avoid using it in...
As part of the BYOB feature, we want to help TRW authors keep their code reliable and prevent it from breaking. This issue provides a wish list about *what* features...
We need to add `source` for our BYOB builders. In https://slsa.dev/provenance/v1 "Migrating from 0.2": ```json "source": old.invocation.configSource.uri, ``` which seems to indicate that source is a URI of type string....
In the v1.0, we may leave ``` workflow: { ref: rawTokenObj.github.ref, repository: rawTokenObj.github.repository, path: getWorkflowPath(rawTokenObj.github), }, ``` blank, because: 1. The interface to our builder has nothing to do with...
Besides vars and inputs, there are other objects to populate based on the event type, see https://github.com/slsa-framework/slsa/blob/main/docs/github-actions-workflow/v1-rc1.md
Metadata
Owner
Metadata
Language-agnostic SLSA provenance generation for Github Actions