plastikfan
commented
1 year ago An example: ko-build
Open plastikfan opened 1 year ago
plastikfan
commented
1 year ago An example: ko-build
plastikfan
commented
1 year ago AT = Attestation
Reaching SLSA Level 1:
Even though an automated build process has already been defined with github actions, this still isn't enough as it does not include an automated release process, which we need to implement with goreleaser, (Issue 42)
Provenance, need understanding of:
Essentially this is code signing (I wonder if this is only applicable to binaries and not libraries, as in the case of the libary, we don't create a binary, the client does as part of their build process). However, when we tag a release, there is a zipped version of the repo (like a snapshot), perhaps we can sign this.
An AT is more than just a signature. It backs up the signature to describe HOW we created the signature. Eg an AT may include how an artefact was created, ie what build command was used to create it.
Recommended Suite:
The AT model -
Describes HOW an artefact was produced.
The Provenance model -
System Inputs (evaluated to create Build Config). (For schema, See: provenance/v0.2)
External Inputs
Executed with Build Config and Materials to produce Subject
plastikfan
commented
1 year ago this is not required for a library
See: General availability of SLSA3 Generic Generator for GitHub Actions
May also need to look into SLSA Go releaser
Start here
This issue depends on the (automated release process to be defined (go-releaser), see #42