slsa-verifier icon indicating copy to clipboard operation
slsa-verifier copied to clipboard

Published 20 hours ago verified publisher icon slsa-framework

Support for GitLab provenance

Open laurentsimon opened this issue 1 year ago • 2 comments

GitLab has some support in https://github.com/npm/cli/pull/6375

https://gist.github.com/wlynch/42e89527d51bc72a61279f0c7f3be1cd

laurentsimon avatar May 11 '23 23:05 laurentsimon

v0.2 provenance does not have a stable builder ID, so we may defer implementation to v1.0

laurentsimon avatar Jun 14 '23 13:06 laurentsimon

They are still using slsa v0.2, and that older definition of BuilderID.

  • https://github.com/npm/cli/blob/22731831e22011e32fa0ca12178e242c2ee2b33d/workspaces/libnpmpublish/lib/provenance.js#L67
  • https://github.com/npm/cli/pull/6375#discussion_r1173989123

I think for gitlab the BuilderID should also be the ref to Gitlab's own equivalent of a GithubWorkflow definition yaml file. And we would need to upgrade the npmcli attestation-generating code to start using v1, like @laurentsimon suggests.

  • https://docs.gitlab.com/ee/ci/migration/github_actions.html#:~:text=A%20GitHub%20Action%20workflow%20is,gitlab%2Dci.

ramonpetgrave64 avatar Jun 24 '24 17:06 ramonpetgrave64