slsa-framework
[feature] support creating a draft release
The Go builder and generic generator use softprops/action-gh-release to create releases. We should support setting the draft flag so that users can create draft releases.
Related: https://github.com/sigstore/helm-sigstore/pull/111
We ran into this in https://github.com/sigstore/timestamp-authority.
See the release GHA - https://github.com/sigstore/timestamp-authority/blob/main/.github/workflows/release.yaml
The GHA first creates a draft release with the binary assets, and then runs the provenance generator. The generator will create a release (not a draft) using the tag. The issues are:
- This doesn't detect the existing draft release, instead creating a new release
- This creates a new release that we have to delete after manually moving the intoto attestation to the draft release
Ideally the GHA generator would either detect an existing draft release and append the attestation or I could provide flags to the generator to control this behavior.
cc @asraa @laurentsimon
I think as a mitigation (suggested by Hayden!) users could use upload-assets: false, and manually upload the asset (which will be named according to the inputs: https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#workflow-inputs)
I think as a mitigation (suggested by Hayden!) users could use
upload-assets: false, and manually upload the asset (which will be named according to the inputs: https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#workflow-inputs)
Yes, setting upload-assets: false and uploading them yourself (and downloading/uploading the provenance) is the workaround.
Example: https://github.com/sigstore/helm-sigstore/pull/111/files#diff-87db21a973eed4fef5f32b267aa60fcee5cbdf03c67fafdc2a9b553bb0b15f34R61-R90
Thanks, doing that here! https://github.com/sigstore/timestamp-authority/pull/215
Thank you @ianlewis for the code pointer, a test release worked as expected!
/cc @developer-guy BTW would love PR(s) for this if you have some time to take a look.
While working on the osv-scanner project, I realized that they mark their release as a draft for some reason. In that case, if we set the upload-assets parameter of the Generic SLSA 3 Generator as true, we see two different releases with the same tag, one is marked as draft the other is marked as latest. Then I dag into the problem a bit, and noticed that the Generic SLSA 3 Generator uses soft-props/action-gh-release to upload the provenance file, here and here. There is a draft option available in the parameters of the action-gh-release GitHub Action.
So, maybe we can add a new parameter to these generators for people who might want to mark their release as a draft, if so, they can pass that parameter to the action-gh-release to avoid having duplicate releases as said by @ianlewis up above.
What I have thought is that;
- Add a
draftoption to the workflow inputs - Use the
draftoption to fulfill thedraftoption of soft-props/action-gh-release that we used to upload provenance
does that sound good @ianlewis, if so, please assign it to me. PTAL @ianlewis
What I have thought is that;
- Add a
draftoption to the workflow inputs- Use the
draftoption to fulfill thedraftoption of soft-props/action-gh-release that we used to upload provenancedoes that sound good @ianlewis, if so, please assign it to me. PTAL @ianlewis
Yep, that's the gist of it I think.
We need end-to-end test before closing this issue. Test for prerelease flags are in https://github.com/search?q=repo%3Aslsa-framework%2Fexample-package%20prerelease&type=code
Here is the PR for e2e tests: https://github.com/slsa-framework/example-package/pull/167