-
Notifications
You must be signed in to change notification settings - Fork 1.4k
Create generator-generic-ossf-slsa3-publish.yml #1640
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| # This workflow uses actions that are not certified by GitHub. | ||
| # They are provided by a third-party and are governed by | ||
| # separate terms of service, privacy policy, and support | ||
| # documentation. | ||
|
|
||
| # This workflow lets you generate SLSA provenance file for your project. | ||
| # The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements | ||
| # The project is an initiative of the OpenSSF (openssf.org) and is developed at | ||
| # https://github.com/slsa-framework/slsa-github-generator. | ||
| # The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier. | ||
| # For more information about SLSA and how it improves the supply-chain, visit slsa.dev. | ||
|
|
||
| name: SLSA generic generator | ||
| on: | ||
| workflow_dispatch: | ||
| release: | ||
| types: [created] | ||
|
|
||
| jobs: | ||
| build: | ||
| runs-on: ubuntu-latest | ||
| outputs: | ||
| digests: ${{ steps.hash.outputs.digests }} | ||
|
|
||
|
Comment on lines
+22
to
+24
|
||
| steps: | ||
| - uses: actions/checkout@v4 | ||
|
|
||
| # ======================================================== | ||
| # | ||
| # Step 1: Build your artifacts. | ||
| # | ||
| # ======================================================== | ||
| - name: Build artifacts | ||
| run: | | ||
| # These are some amazing artifacts. | ||
| echo "artifact1" > artifact1 | ||
| echo "artifact2" > artifact2 | ||
|
Comment on lines
+33
to
+37
|
||
| # ======================================================== | ||
| # | ||
| # Step 2: Add a step to generate the provenance subjects | ||
| # as shown below. Update the sha256 sum arguments | ||
| # to include all binaries that you generate | ||
| # provenance for. | ||
| # | ||
| # ======================================================== | ||
| - name: Generate subject for provenance | ||
| id: hash | ||
| run: | | ||
| set -euo pipefail | ||
| # List the artifacts the provenance will refer to. | ||
| files=$(ls artifact*) | ||
| # Generate the subjects (base64 encoded). | ||
| echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" | ||
| provenance: | ||
| needs: [build] | ||
| permissions: | ||
| actions: read # To read the workflow path. | ||
| id-token: write # To sign the provenance. | ||
| contents: write # To add assets to a release. | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0 | ||
| with: | ||
| base64-subjects: "${{ needs.build.outputs.digests }}" | ||
| upload-assets: true # Optional: Upload to a new release | ||
|
Comment on lines
+64
to
+66
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This workflow doesn’t set a default
permissions:block, so thebuildjob may run with broaderGITHUB_TOKENpermissions than necessary (depending on repo/org defaults). Other workflows here scope permissions explicitly (e.g.,contents: read). Consider adding a top-levelpermissions: contents: readand only grantingid-token: write/contents: writeon theprovenancejob.