Open developer-guy opened 2 years ago
Hey
First, thanks for the interest. Shameless plug, we have released a v1 for the Go builder (more coming up soon) in github.com/slsa-framework/slsa-github-generator (official announcement very soon).
(We have not migrated the ko builder yet :/)
re: the CI variable. Can you tell me more about detect the build is actually happening in GitHub Action
? The signature for the provenance is done via certificate provided by Fulcio, and has the identity of the builder/GitHub in it, so we're certain the build was made on a GitHub Action.
May I suggest you create an issue on github.com/slsa-framework/slsa-github-generator? That will generate more discussion than this repo :-)
Thank you!
Wouldn't be nice if we can check this environment variable that I mentioned in the title of the issue to detect the build is actually happening in GitHub Action as an additional control to this code here.
WDYT? @laurentsimon, btw, I'm willing to do this if you agree with the idea, thanks.