slsa-github-generator
slsa-github-generator copied to clipboard
slsa-framework
Language-agnostic SLSA provenance generation for Github Actions
Docs on how to verify provenance generated by the generic workflow with [Kyverno](https://kyverno.io/). Kyverno docs on verifying images is here: https://kyverno.io/docs/writing-policies/verify-images/
SLSA materials are: ``` materials array of objects, optional The collection of artifacts that influenced the build including sources, dependencies, build tools, base images, and so on. This is considered...
Add a workflow for building python packages and generating SLSA provenance for them. This is analogous to https://github.com/slsa-framework/slsa-github-generator-go for Go projects, except for Python packages. This is to help achieve...
We use WrappableError in the generic builder, but not in the Go builder. We should use the same construction and error definitions across builders
The following unchecked golangci-lint linters are currently generating issues and disabled. We need to enable them and fix the issues encountered. - [ ] errcheck - [ ] errorlint -...
Shell scripts should use lowercase variable names if the variable is unexported. This seems to be the best practice and linters like shellcheck will point out uninitialized variables if they...
Related #153 I've had trouble loading the github context into an environment variable in `actions.yml` so we may need to find another way to read the context. Either via an...
Related #53 We should consider moving the shell scripts to their own files rather than having them inline in yaml so that it's easier to lint them for problems. Shell...
Currently we have to have special case code to run e2e tests in pull requests due to #131. I'd like to get rid of that code so that pull requests...
As part of https://github.com/slsa-framework/slsa-github-generator/pull/86, I used a script to download the builder's binary. We should use another programming language code instead, to avoid trusting the `gh` CLI binary and to...
Metadata
Owner
Metadata
Language-agnostic SLSA provenance generation for Github Actions