slsa-github-generator icon indicating copy to clipboard operation
slsa-github-generator copied to clipboard
verified publisher icon slsa-framework

[feature] Support for GitHub Attestation Store

Open ianlewis opened this issue 1 year ago • 3 comments

We should consider adding support for storing results in GitHub's attestation store.

I think, we would need to create a predicate that matches what the attestation store expects, so it would be slightly different than the ones we create today. This might be ok, since we aren't supporting SLSA v1.0 much in our workflows yet, so we could do it at the same time.

Related #3668

ianlewis avatar May 23 '24 13:05 ianlewis

Great! Looking forward to native implementation, now I have to download each artifact and attest it with workaround

  attestation:
    needs: [build]
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
      attestations: write
    strategy:
      matrix:
        artifact:
          - linux-amd64
          - linux-arm64
          - darwin-amd64
          - darwin-arm64
          - windows-amd64.exe
          - windows-arm64.exe
    steps:
      - name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: yutu-${{ matrix.artifact }}
      - name: Attest
        uses: actions/attest-build-provenance@v1
        with:
          subject-path: '${{ github.workspace }}/yutu-${{ matrix.artifact }}'

OpenWaygate avatar May 24 '24 18:05 OpenWaygate

@OpenWaygate So I guess you generating two attestations? one created by slsa-github-generator and one by the attest-build-provenance action?

ianlewis avatar Jun 03 '24 07:06 ianlewis

yes, while the one created by slsa-github-generator will appear in release assets, the one created by attest-build-provenance will appear in https://github.com/username/projectname/attestations

OpenWaygate avatar Jun 03 '24 11:06 OpenWaygate