Support for SLSA GHA - Githubissues

laurentsimon commented 6 months ago

See https://github.com/cli/cli/pull/8698/ for required code changes

laurentsimon commented 6 months ago

@ramonpetgrave64

laurentsimon commented 5 months ago

https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

ramonpetgrave64 commented 3 months ago

Example provenance, which is a sigtore bundle

https://github.com/ramonpetgrave/my-example-gradle-project/attestations/784461

decoded DSEE Envelope payload:

{
  "_type": "https://in-toto.io/Statement/v1",
  "subject": [
    {
      "name": "app.jar",
      "digest": {
        "sha256": "bc2153c2e6a9b03505e7f99ed126c47e6844accc6c9a013317182ba746854fcb"
      }
    }
  ],
  "predicateType": "https://slsa.dev/provenance/v1",
  "predicate": {
    "buildDefinition": {
      "buildType": "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1",
      "externalParameters": {
        "workflow": {
          "ref": "refs/heads/main",
          "repository": "https://github.com/ramonpetgrave/my-example-gradle-project",
          "path": ".github/workflows/build-with-github-attestation.yml"
        }
      },
      "internalParameters": {
        "github": {
          "event_name": "workflow_dispatch",
          "repository_id": "750993377",
          "repository_owner_id": "161096158"
        }
      },
      "resolvedDependencies": [
        {
          "uri": "git+https://github.com/ramonpetgrave/my-example-gradle-project@refs/heads/main",
          "digest": {
            "gitCommit": "cfc8c22bf4dd22e6fb7075f7422ae41ac9b43152"
          }
        }
      ]
    },
    "runDetails": {
      "builder": {
        "id": "https://github.com/actions/runner/github-hosted"
      },
      "metadata": {
        "invocationId": "https://github.com/ramonpetgrave/my-example-gradle-project/actions/runs/8930831141/attempts/1"
      }
    }
  }
}

slsa-framework / slsa-verifier

Support for SLSA GHA #744