Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[feature] Support for GitHub Attestation Store #3669

Open
ianlewis opened this issue May 23, 2024 · 3 comments
Open

[feature] Support for GitHub Attestation Store #3669

ianlewis opened this issue May 23, 2024 · 3 comments
Labels
type:feature New feature or request

Comments

@ianlewis
Copy link
Member

ianlewis commented May 23, 2024

We should consider adding support for storing results in GitHub's attestation store.

I think, we would need to create a predicate that matches what the attestation store expects, so it would be slightly different than the ones we create today. This might be ok, since we aren't supporting SLSA v1.0 much in our workflows yet, so we could do it at the same time.

Related #3668

@ianlewis ianlewis added the type:feature New feature or request label May 23, 2024
@OpenWaygate
Copy link

Great! Looking forward to native implementation, now I have to download each artifact and attest it with workaround

  attestation:
    needs: [build]
    runs-on: ubuntu-latest
    permissions:
      id-token: write
      contents: read
      attestations: write
    strategy:
      matrix:
        artifact:
          - linux-amd64
          - linux-arm64
          - darwin-amd64
          - darwin-arm64
          - windows-amd64.exe
          - windows-arm64.exe
    steps:
      - name: Download artifact
        uses: actions/download-artifact@v4
        with:
          name: yutu-${{ matrix.artifact }}
      - name: Attest
        uses: actions/attest-build-provenance@v1
        with:
          subject-path: '${{ github.workspace }}/yutu-${{ matrix.artifact }}'

@ianlewis
Copy link
Member Author

ianlewis commented Jun 3, 2024

@OpenWaygate So I guess you generating two attestations? one created by slsa-github-generator and one by the attest-build-provenance action?

@OpenWaygate
Copy link

yes, while the one created by slsa-github-generator will appear in release assets, the one created by attest-build-provenance will appear in https://github.com/username/projectname/attestations

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
type:feature New feature or request
Projects
None yet
Development

No branches or pull requests

2 participants