slsa-verifier icon indicating copy to clipboard operation
slsa-verifier copied to clipboard
verified publisher icon slsa-framework

feat: testing mode from non-main slsa-framework/slsa-github-generator branches

Open ramonpetgrave64 opened this issue 1 year ago • 4 comments

Allow verifying provenances from the slsa-framework/slsa-github-generator branches. This is useful during in development.

We could also allow the tester to customize the repo, to perhaps their own fork. example:

SLSA_VERIFIER_TESTING_ALTERNATE_SOURCE_REPO="ramonpetgrave64/slsa-verifier" \
    go run . verify-artifact ...

Testing

  • Added unit tests
  • manually invoking against provenance and artifacts from a test workflow run
    • https://github.com/slsa-framework/slsa-github-generator/actions/runs/10308515370
  • also verifying within the same workflow
    • https://github.com/slsa-framework/slsa-github-generator/actions/runs/10308515370/job/28536184530#step:6:1

ramonpetgrave64 avatar Aug 08 '24 19:08 ramonpetgrave64

@ianlewis @laurentsimon

ramonpetgrave64 avatar Aug 08 '24 20:08 ramonpetgrave64

Is this to support running slsa-verifier in slsa-github-generator pre-submits? I kind of thought we did this already but maybe I'm misremembering?

ianlewis avatar Aug 21 '24 01:08 ianlewis

@ianlewis not for pre-submits, or pull_request events, but for push events, since id-token isn't available for PRs. And so far it seems not yet nresolved.

  • https://github.com/slsa-framework/slsa-github-generator/issues/131

So I might be testing changes on a separate branch "ramoneptgrave64-my-tests" that exists on the slsa-framework/slsa-github-generator repo.

ramonpetgrave64 avatar Aug 21 '24 14:08 ramonpetgrave64

Additional discussion, considering using an alternative identity token within PRs

  • https://github.com/slsa-framework/slsa-github-generator/pull/3777#discussion_r1795254767

ramonpetgrave64 avatar Oct 29 '24 19:10 ramonpetgrave64