search

slsa-framework / slsa

Supply-chain Levels for Software Artifacts
https://slsa.dev
Other
1.53k stars 222 forks source link

Clarify the 'merger' identity in source track #1074

Closed TomHennen closed 3 weeks ago

TomHennen commented 3 months ago 
          There is an actor who "clicked the merge button", but this may or may not be the identity of the actor that authenticated to push the changes.

For example, I may click the merge button to add a PR to a GitHub Merge Queue, but the Merge Queue's service principal is the identity who eventually pushes the ref update of the main branch. This is because merge-queue-like systems contain the contents of multiple contributors and change sets.

_Originally posted by @zachariahcox in https://github.com/slsa-framework/slsa/pull/1037#discussion_r1588368932_

TomHennen commented 3 months ago

Please see the original comment and this discussion

zachariahcox commented 1 month ago

We can continue to discuss this, but probably it will just be "whatever contract is supported by the SCP". If the SCP uses a bot to merge changes, it might be a bot, or else it might be the user who clicks the button. Both can be fine.

zachariahcox commented 3 weeks ago

Marking "closed" for now! Please feel free to reopen if you feel we didn't address this topic fully 👍