slsa-framework / github-actions-buildtypes Goto Github PK

There is a need for a canonical way for signers to capture the source in the provenance and for verifiers to check. For GHA the source is the repository that triggered the the GHA run, however other dependencies could potentially be pulled and included in resolvedDependencies.

Right now slsa-github-generator includes this information as the first entry in resolvedDependencies by convention and slsa-verifier uses this to verify against the --source-uri provided by users. This is really just a convention and should be included more definitively in the provenance via a field in externalParameters or an annotation on the resolvedDependency entry.

Ideally this solution would be applicable to other builders as well and should not necessarily be decided here. Though the ultimate decision should be reflected in this repo and it's examples.

https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows#schedule

I don't recall the reason why they were excluded. Was there some info missing from those events that we cared about?

/cc @MarkLodato @laurentsimon @kpk47

I'm curious about the deployment event in GHA and how it relates to SLSA. We have it listed as a supported event in the github-actions-buildtypes repo but AFAICT it doesn't really make sense to me as an important event to support.
https://github.com/slsa-framework/github-actions-buildtypes/tree/main/workflow/v1#build-definition

We currently have it listed as a supported event type for BYOB in verify-token
https://github.com/slsa-framework/slsa-github-generator/blob/921bfa1c304f3adc597c69e6d64f3a9ca34080a0/.github/actions/verify-token/src/validate.ts#L34

AFAICT, deployments on GHA get created through the normal 'push' to branch/tag style events when you specify an 'environment' on a job. So this is presumably when you're actually building your artifact. It's also presumably where the "deployment" to the environment actually happens.
https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment#using-an-environment

The deployment event gets triggered when the deployment gets created, but doesn't always have a GIT ref and is perhaps for doing some kind of cleanup or maybe some validation after the deployment actually happens? I'm not sure it's really relevant to SLSA.

Is there a clear example somewhere in the GitHub docs (or elsewhere) that shows how it might be relevant for builds?