Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

attestation: drop workflow check on core attestation #17331

Merged
merged 1 commit into from
May 18, 2024
Merged

attestation: drop workflow check on core attestation #17331

merged 1 commit into from
May 18, 2024

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented May 18, 2024
edited
Loading

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

This follows the workflow changes I made in homebrew-core:

With those changes, (hopefully) all of our bottle-uploading workflows now produce provenance. However, this means we no longer have a single workflow to verify on. As a result, this change relaxes the check to allow any attestation from Homebrew/homebrew-core, not just ones from the original publish workflow. I've left a detailed comment on how to ratchet this back down, but I figured I'd fix the verification failure first and then work on that 🙂

(This should not meaningfully impact the security model, since an attacker would still need to obtain access to an OIDC credential within the context of homebrew-core.)

@woodruffw
attestation: drop workflow check on core attestation
3319e99 
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw woodruffw self-assigned this May 18, 2024
p-linnane
p-linnane approved these changes May 18, 2024
View reviewed changes
Copy link
Member

@p-linnane p-linnane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@p-linnane p-linnane merged commit 06abd32 into master May 18, 2024
25 checks passed
@p-linnane p-linnane deleted the ww/drop-workflow-check branch May 18, 2024 15:48
@github-actions github-actions bot added the outdated PR was locked due to age label Jun 18, 2024
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 18, 2024
# for free to subscribe to this conversation on GitHub. Already have an account? #.
Reviewers

@carlocab carlocab carlocab approved these changes

@p-linnane p-linnane p-linnane approved these changes

Assignees

@woodruffw woodruffw

Labels
outdated PR was locked due to age
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@woodruffw @carlocab @p-linnane