Open ianlewis opened 4 months ago
Great! Looking forward to native implementation, now I have to download each artifact and attest it with workaround
attestation:
needs: [build]
runs-on: ubuntu-latest
permissions:
id-token: write
contents: read
attestations: write
strategy:
matrix:
artifact:
- linux-amd64
- linux-arm64
- darwin-amd64
- darwin-arm64
- windows-amd64.exe
- windows-arm64.exe
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: yutu-${{ matrix.artifact }}
- name: Attest
uses: actions/attest-build-provenance@v1
with:
subject-path: '${{ github.workspace }}/yutu-${{ matrix.artifact }}'
@OpenWaygate So I guess you generating two attestations? one created by slsa-github-generator
and one by the attest-build-provenance
action?
yes, while the one created by slsa-github-generator
will appear in release assets, the one created by attest-build-provenance
will appear in https://github.com/username/projectname/attestations
We should consider adding support for storing results in GitHub's attestation store.
I think, we would need to create a predicate that matches what the attestation store expects, so it would be slightly different than the ones we create today. This might be ok, since we aren't supporting SLSA v1.0 much in our workflows yet, so we could do it at the same time.
Related #3668