slsa-github-generator
slsa-github-generator copied to clipboard
slsa-framework
Language-agnostic SLSA provenance generation for Github Actions
Reusable workflows now support matrix https://docs.github.com/en/actions/using-workflows/reusing-workflows#using-a-matrix-strategy-with-a-reusable-workflow We need to add support for BYOB: - how can TRW writers use this feature - add support in the SLSA token - how...
We currently only tests verify-token with the v1.0 predicate
We had an issue about it, but I could not find it so I'm creating this new one. 1We need to mask private fields of GH context for privacy reasons:...
We need to verify that that generated provenance is correct. Unit tests and scheduled tests within this repo. The feature was introduced in https://github.com/slsa-framework/slsa-github-generator/pull/2078
We currently don't record the inputs for generators in the `externalParameters` in `verify-token`
Create a section in the README that outlines how to use GCP workload identity and gives pointers on how you need to set it up.
The Go builder and generic generator use `softprops/action-gh-release` to create releases. We should support setting the `draft` flag so that users can create draft releases. Related: https://github.com/sigstore/helm-sigstore/pull/111
We would like to remove support for SLSA v0.2 before BYOB GA but we may need to support it for the nodejs builder.
We currently shell out to openssl to read the x505 cert info. We can update our code as https://github.com/sigstore/sigstore-js/pull/198#pullrequestreview-1270008968 /cc @asraa
**Is your feature request related to a problem? Please describe.** Add strict validation to the SLSA subject layout for generate-attestations. Validate that malformed subject layouts cause errors. **Describe the solution...
Metadata
Owner
Metadata
Language-agnostic SLSA provenance generation for Github Actions