SLSA provenance attestation #922

johnbillion · 2024-12-03T17:17:06Z

See johnbillion/action-wordpress-plugin-attestation#12

szepeviktor · 2024-12-03T18:12:12Z

You want two things in one workflow ...

johnbillion · 2024-12-03T18:16:01Z

Yeah it's not always easy to determine whether an action is a composite

szepeviktor · 2024-12-03T18:18:47Z

It is a reusable one. It cannot live as a step.

reusable workflows should be referenced at the top-level `jobs.*.uses' key, not within steps

szepeviktor · 2024-12-03T18:24:01Z

I think this level3 thing must be in your build process.
https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-and-reusable-workflows-to-achieve-slsa-v1-build-level-3

johnbillion · 2024-12-03T18:36:21Z

I think I rabbit-holed on the actions provided by the SLSA framework due to the isolation requirement for level 3. The annoying thing about using a reusable workflow for a GitHub build provenance attestation is that you then need to verify it using the name of the repo that contains the reusable workflow that created the attestation.

It looks like I need to read into this more.

.github/workflows/deploy-tag.yml

Co-authored-by: Viktor Szépe <[email protected]>

johnbillion added 2 commits December 3, 2024 18:16

Let's try generating SLSA provenance attestation.

d7d98ac

Only do a dry run for now.

288b028

johnbillion temporarily deployed to WordPress.org December 3, 2024 17:20 — with GitHub Actions Inactive

johnbillion temporarily deployed to WordPress.org December 3, 2024 17:28 — with GitHub Actions Inactive

johnbillion temporarily deployed to WordPress.org December 3, 2024 17:35 — with GitHub Actions Inactive

johnbillion added 2 commits December 3, 2024 18:57

Looks like we need to perform the SLSA attestation ourselves.

876610e

Don't need this.

253acc0

No need for two jobs for this.

6bb608c

This is, in fact, not a composite action.

bb750a1

Adjust the permissions.

907bb6a

szepeviktor reviewed Dec 3, 2024

View reviewed changes

.github/workflows/deploy-tag.yml Outdated Show resolved Hide resolved

Update .github/workflows/deploy-tag.yml

65bbd8c

Co-authored-by: Viktor Szépe <[email protected]>

johnbillion temporarily deployed to WordPress.org December 3, 2024 20:52 — with GitHub Actions Inactive

johnbillion closed this Dec 3, 2024

johnbillion deleted the slsa branch December 20, 2024 15:45

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SLSA provenance attestation #922

SLSA provenance attestation #922

johnbillion commented Dec 3, 2024

szepeviktor commented Dec 3, 2024

johnbillion commented Dec 3, 2024

szepeviktor commented Dec 3, 2024 •

edited

Loading

szepeviktor commented Dec 3, 2024

johnbillion commented Dec 3, 2024

SLSA provenance attestation #922

SLSA provenance attestation #922

Conversation

johnbillion commented Dec 3, 2024

szepeviktor commented Dec 3, 2024

johnbillion commented Dec 3, 2024

szepeviktor commented Dec 3, 2024 • edited Loading

szepeviktor commented Dec 3, 2024

johnbillion commented Dec 3, 2024

szepeviktor commented Dec 3, 2024 •

edited

Loading