Currently, the BYOB framework does not allow configuration of the build environment beyond what is set within each respective builder. However, many different repos on Github configure the build environment in different ways before running the build command. Right now, BYOB builders cannot support these types of workflow that configure and build within a Composite Action since that configurability would not transfer to the Github Runners that the Builder and BYOB framework runs on.
Each builder that uses the BYOB framework would have this additional input which they would pass to the slsa-setup job. Doing this would allow the BYOB framework to be configurable from the user, thus increasing the amount of repos that can adopt our SLSA3 Builders and harden their code.
Additionally, under the same line of thinking, if there are repos that need to runs tests within the same build environment context after the build process, I propose adding another input, slsa-postbuild-action-path.
Currently, the BYOB framework does not allow configuration of the build environment beyond what is set within each respective builder. However, many different repos on Github configure the build environment in different ways before running the build command. Right now, BYOB builders cannot support these types of workflow that configure and build within a Composite Action since that configurability would not transfer to the Github Runners that the Builder and BYOB framework runs on.
To support these repos, I propose adding an additional input,
slsa-prebuild-action-path
, in https://github.com/slsa-framework/slsa-github-generator/blob/main/actions/delegator/setup-generic/action.yml which like slsa-build-action-path would run the action before running the build action.Each builder that uses the BYOB framework would have this additional input which they would pass to the
slsa-setup
job. Doing this would allow the BYOB framework to be configurable from the user, thus increasing the amount of repos that can adopt our SLSA3 Builders and harden their code.Additionally, under the same line of thinking, if there are repos that need to runs tests within the same build environment context after the build process, I propose adding another input,
slsa-postbuild-action-path
.