minder icon indicating copy to clipboard operation
minder copied to clipboard

Published 20 hours ago verified publisher icon stacklok

Implement checking if the workflow that built the artifact is part of the allowed list

Open rdimitrov opened this issue 1 year ago • 0 comments

The idea is to ensure that the workflow that built the artifact is part of the allowed actions list.

  • Artifact is signed -> get it's signer identity (workflow) -> check if this workflow is allowed in GitHub

Reference:

  • https://github.com/stacklok/minder-rules-and-profiles/blob/d1ef79da0cb3664d28a8bedfa890faf11e59718d/rule-types/github/allowed_selected_actions.yaml#L31

rdimitrov avatar Feb 19 '24 11:02 rdimitrov