From d7d98acec2355f1884166964b327205a3eacc6f7 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 3 Dec 2024 18:16:10 +0100 Subject: [PATCH 1/8] Let's try generating SLSA provenance attestation. --- .github/workflows/deploy-tag.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-tag.yml b/.github/workflows/deploy-tag.yml index 3c550e74..76e532fa 100644 --- a/.github/workflows/deploy-tag.yml +++ b/.github/workflows/deploy-tag.yml @@ -45,7 +45,7 @@ jobs: needs: deploy steps: - name: Attest - uses: johnbillion/action-wordpress-plugin-attestation@0.4.0 + uses: johnbillion/action-wordpress-plugin-attestation@slsa with: version: ${{ needs.deploy.outputs.version }} zip-path: ${{ needs.deploy.outputs.zip-path }} From 288b0284577e1001aa360eab8de8af06bdab351f Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 3 Dec 2024 18:19:54 +0100 Subject: [PATCH 2/8] Only do a dry run for now. --- .github/workflows/deploy-tag.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/deploy-tag.yml b/.github/workflows/deploy-tag.yml index 76e532fa..32995495 100644 --- a/.github/workflows/deploy-tag.yml +++ b/.github/workflows/deploy-tag.yml @@ -49,3 +49,4 @@ jobs: with: version: ${{ needs.deploy.outputs.version }} zip-path: ${{ needs.deploy.outputs.zip-path }} + dry-run: true From 876610e3dee78bd10d9940ff5990488873294f9b Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 3 Dec 2024 18:57:46 +0100 Subject: [PATCH 3/8] Looks like we need to perform the SLSA attestation ourselves. --- .github/workflows/deploy-tag.yml | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/.github/workflows/deploy-tag.yml b/.github/workflows/deploy-tag.yml index 32995495..e7ead9f4 100644 --- a/.github/workflows/deploy-tag.yml +++ b/.github/workflows/deploy-tag.yml @@ -43,10 +43,27 @@ jobs: id-token: write timeout-minutes: 70 needs: deploy + outputs: + base64-subjects: ${{ steps.attest.outputs.base64-subjects }} steps: - name: Attest + id: attest uses: johnbillion/action-wordpress-plugin-attestation@slsa with: version: ${{ needs.deploy.outputs.version }} zip-path: ${{ needs.deploy.outputs.zip-path }} dry-run: true + slsa: + name: Generate SLSA provenance attestation + runs-on: ubuntu-latest + needs: attest + permissions: + attestations: write + contents: read + id-token: write + steps: + - name: Generate + if: ${{ inputs.dry-run == 'false' }} + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + with: + base64-subjects-as-file: "${{ needs.attest.outputs.base64-subjects }}" From 253acc0dd553200c6b3f16609c3c323fd51a4c72 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 3 Dec 2024 18:59:58 +0100 Subject: [PATCH 4/8] Don't need this. --- .github/workflows/deploy-tag.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/deploy-tag.yml b/.github/workflows/deploy-tag.yml index e7ead9f4..0dc0fa9d 100644 --- a/.github/workflows/deploy-tag.yml +++ b/.github/workflows/deploy-tag.yml @@ -63,7 +63,6 @@ jobs: id-token: write steps: - name: Generate - if: ${{ inputs.dry-run == 'false' }} uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: base64-subjects-as-file: "${{ needs.attest.outputs.base64-subjects }}" From 6bb608c5b287341a8956568d3736a16e069d4e5a Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 3 Dec 2024 19:21:20 +0100 Subject: [PATCH 5/8] No need for two jobs for this. --- .github/workflows/deploy-tag.yml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/.github/workflows/deploy-tag.yml b/.github/workflows/deploy-tag.yml index 0dc0fa9d..68628da6 100644 --- a/.github/workflows/deploy-tag.yml +++ b/.github/workflows/deploy-tag.yml @@ -43,8 +43,6 @@ jobs: id-token: write timeout-minutes: 70 needs: deploy - outputs: - base64-subjects: ${{ steps.attest.outputs.base64-subjects }} steps: - name: Attest id: attest @@ -53,16 +51,7 @@ jobs: version: ${{ needs.deploy.outputs.version }} zip-path: ${{ needs.deploy.outputs.zip-path }} dry-run: true - slsa: - name: Generate SLSA provenance attestation - runs-on: ubuntu-latest - needs: attest - permissions: - attestations: write - contents: read - id-token: write - steps: - name: Generate uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: - base64-subjects-as-file: "${{ needs.attest.outputs.base64-subjects }}" + base64-subjects-as-file: "${{ steps.attest.outputs.base64-subjects }}" From bb750a13356c05cc51577f5f820b9cf1efbc9ba6 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 3 Dec 2024 19:24:43 +0100 Subject: [PATCH 6/8] This is, in fact, not a composite action. --- .github/workflows/deploy-tag.yml | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/.github/workflows/deploy-tag.yml b/.github/workflows/deploy-tag.yml index 68628da6..4258b83c 100644 --- a/.github/workflows/deploy-tag.yml +++ b/.github/workflows/deploy-tag.yml @@ -43,6 +43,8 @@ jobs: id-token: write timeout-minutes: 70 needs: deploy + outputs: + base64-subjects: ${{ steps.attest.outputs.base64-subjects }} steps: - name: Attest id: attest @@ -51,7 +53,13 @@ jobs: version: ${{ needs.deploy.outputs.version }} zip-path: ${{ needs.deploy.outputs.zip-path }} dry-run: true - - name: Generate - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 - with: - base64-subjects-as-file: "${{ steps.attest.outputs.base64-subjects }}" + slsa: + name: Generate SLSA provenance attestation + needs: attest + permissions: + attestations: write + contents: read + id-token: write + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 + with: + base64-subjects-as-file: "${{ needs.attest.outputs.base64-subjects }}" From 907bb6aa4f26687c7bf7420e34a94edbfa97ad02 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 3 Dec 2024 19:38:38 +0100 Subject: [PATCH 7/8] Adjust the permissions. --- .github/workflows/deploy-tag.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-tag.yml b/.github/workflows/deploy-tag.yml index 4258b83c..671dbcea 100644 --- a/.github/workflows/deploy-tag.yml +++ b/.github/workflows/deploy-tag.yml @@ -57,9 +57,9 @@ jobs: name: Generate SLSA provenance attestation needs: attest permissions: - attestations: write contents: read id-token: write + actions: read uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0 with: base64-subjects-as-file: "${{ needs.attest.outputs.base64-subjects }}" From 65bbd8c7f198e53f0f9b18ece01383b790cf8e39 Mon Sep 17 00:00:00 2001 From: John Blackbourn Date: Tue, 3 Dec 2024 20:51:31 +0000 Subject: [PATCH 8/8] Update .github/workflows/deploy-tag.yml MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Viktor Szépe --- .github/workflows/deploy-tag.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/deploy-tag.yml b/.github/workflows/deploy-tag.yml index 671dbcea..6a30d525 100644 --- a/.github/workflows/deploy-tag.yml +++ b/.github/workflows/deploy-tag.yml @@ -57,7 +57,7 @@ jobs: name: Generate SLSA provenance attestation needs: attest permissions: - contents: read + contents: write id-token: write actions: read uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0