Skip to content

feat: SLSA 1.0 provenance statement #6613

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 30, 2023
Merged

feat: SLSA 1.0 provenance statement #6613

merged 1 commit into from
Jun 30, 2023

Conversation

bdehamer
Copy link
Contributor

@bdehamer bdehamer commented Jun 28, 2023
edited
Loading

Updates the provenance statement generated when publishing from GitHub Actions to be compliant w/ the SLSA 1.0 specification.

{
  "_type": "https://in-toto.io/Statement/v1",
  "subject": [
    {
      "name": "pkg:npm/%40ps-testing/dummy-provenance@1.0.0-5413135963.1",
      "digest": {
        "sha512": "f5a4afe14c8f353345bf27881b0100aef45739ff4ac5bc209e18200090873dde63e8bbc739b76eda12b1f2f0589c7374f9e3a15b409fbaa294c7934b48d275b9"
      }
    }
  ],
  "predicateType": "https://slsa.dev/provenance/v1",
  "predicate": {
    "buildDefinition": {
      "buildType": "https://slsa-framework.github.io/github-actions-buildtypes/workflow/v1",
      "externalParameters": {
        "workflow": {
          "ref": "refs/heads/bdehamer/slsa-1",
          "repository": "https://github.com/npm/provenance-tests",
          "path": ".github/workflows/publish-with-provenance.yml"
        }
      },
      "internalParameters": {
        "github": {
          "event_name": "workflow_dispatch",
          "repository_id": "566758891",
          "repository_owner_id": "6078720"
        }
      },
      "resolvedDependencies": [
        {
          "uri": "git+https://github.com/npm/provenance-tests@refs/heads/bdehamer/slsa-1",
          "digest": {
            "gitCommit": "8391d397739aa2afe1213b9d1c19c2cc5f648135"
          }
        }
      ]
    },
    "runDetails": {
      "builder": {
        "id": "https://github.com/actions/runner/github-hosted"
      },
      "metadata": {
        "invocationId": "https://github.com/npm/provenance-tests/actions/runs/5413135963/attempts/1"
      }
    }
  }
}

@bdehamer bdehamer requested a review from feelepxyz June 28, 2023 23:14
@bdehamer
feat: SLSA 1.0 provenance statement
ac6a1ca 
Generates a SLSA 1.0 compliant provenance statement for packages
published from GitHub Actions.

Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer bdehamer force-pushed the bdehamer/gha-provenance-slsa-1 branch from 102e9ec to ac6a1ca Compare June 29, 2023 14:04
@feelepxyz feelepxyz mentioned this pull request Jun 29, 2023
Open
feelepxyz
feelepxyz approved these changes Jun 29, 2023
View reviewed changes
Copy link
Contributor

@feelepxyz feelepxyz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks good to me 👍

@laurentsimon laurentsimon mentioned this pull request Jun 29, 2023
Closed
@bdehamer bdehamer marked this pull request as ready for review June 29, 2023 17:39
@bdehamer bdehamer requested a review from a team as a code owner June 29, 2023 17:39
@wraithgar wraithgar merged commit 5baf6a2 into latest Jun 30, 2023
@wraithgar wraithgar deleted the bdehamer/gha-provenance-slsa-1 branch June 30, 2023 14:02
@github-actions github-actions bot mentioned this pull request Jun 26, 2023
Merged
@sxzz sxzz mentioned this pull request Nov 8, 2023
Merged
@achrinza achrinza mentioned this pull request Nov 19, 2023
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@feelepxyz feelepxyz feelepxyz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bdehamer @feelepxyz @wraithgar