slsa-framework / github-actions-buildtypes Goto Github PK
View Code? Open in Web Editor NEWCommunity-maintained SLSA buildType for GitHub Actions
License: Apache License 2.0
Community-maintained SLSA buildType for GitHub Actions
License: Apache License 2.0
There is a need for a canonical way for signers to capture the source in the provenance and for verifiers to check. For GHA the source is the repository that triggered the the GHA run, however other dependencies could potentially be pulled and included in resolvedDependencies
.
Right now slsa-github-generator includes this information as the first entry in resolvedDependencies
by convention and slsa-verifier
uses this to verify against the --source-uri
provided by users. This is really just a convention and should be included more definitively in the provenance via a field in externalParameters
or an annotation on the resolvedDependency
entry.
Ideally this solution would be applicable to other builders as well and should not necessarily be decided here. Though the ultimate decision should be reflected in this repo and it's examples.
https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule
I don't recall the reason why they were excluded. Was there some info missing from those events that we cared about?
I'm curious about the deployment event in GHA and how it relates to SLSA. We have it listed as a supported event in the github-actions-buildtypes repo but AFAICT it doesn't really make sense to me as an important event to support.
https://github.com/slsa-framework/github-actions-buildtypes/tree/main/workflow/v1#build-definition
We currently have it listed as a supported event type for BYOB in verify-token
https://github.com/slsa-framework/slsa-github-generator/blob/921bfa1c304f3adc597c69e6d64f3a9ca34080a0/.github/actions/verify-token/src/validate.ts#L34
AFAICT, deployments on GHA get created through the normal 'push' to branch/tag style events when you specify an 'environment' on a job. So this is presumably when you're actually building your artifact. It's also presumably where the "deployment" to the environment actually happens.
https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#using-an-environment
The deployment event gets triggered when the deployment gets created, but doesn't always have a GIT ref and is perhaps for doing some kind of cleanup or maybe some validation after the deployment actually happens? I'm not sure it's really relevant to SLSA.
Is there a clear example somewhere in the GitHub docs (or elsewhere) that shows how it might be relevant for builds?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.