Add SLSA generic generator workflow #1573
Conversation
This workflow generates SLSA provenance files for projects, satisfying level 3 requirements. It includes steps for building artifacts and generating subjects for provenance.
There was a problem hiding this comment.
Pull request overview
This PR adds a GitHub Actions workflow for generating SLSA (Supply chain Levels for Software Artifacts) provenance files, which helps improve software supply chain security by providing verifiable information about how artifacts were built. The workflow consists of two jobs: one that builds artifacts and generates their SHA256 hashes, and another that generates SLSA Level 3 provenance metadata.
Changes:
- Added a new workflow file that generates SLSA provenance for build artifacts
- Configured the workflow to trigger on release creation and manual dispatch
- Set up appropriate permissions for SLSA provenance generation and release asset uploads
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # List the artifacts the provenance will refer to. | ||
| files=$(ls artifact*) | ||
| # Generate the subjects (base64 encoded). | ||
| echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" |
There was a problem hiding this comment.
There is a mismatch between the output variable name and its usage. The script sets the output as "hashes" but it's referenced as "digests" in the job outputs (line 23) and when passed to the provenance job (line 65). This will cause the workflow to fail because the output variable will be undefined. Change "hashes" to "digests" to match the expected output name.
| echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" | |
| echo "digests=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" |
|
@copilot open a new pull request to apply changes based on the comments in this thread |
|
Nice |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
@copilot open a new pull request to apply changes based on the comments in this thread |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
|
@copilot open a new pull request to apply changes based on the comments in this thread |
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| # List the artifacts the provenance will refer to. | ||
| files=$(compgen -G "artifact*" || true) | ||
| if [ -z "$files" ]; then |
There was a problem hiding this comment.
The output variable name is inconsistent. Line 59 sets the output as 'hashes' but line 23 references it as 'digests'. This will cause the workflow to fail because the provenance job will receive an empty value.
Change line 59 to use 'digests' instead of 'hashes' to match the output reference, or update line 23 to reference 'hashes' instead of 'digests'.
| with: | ||
| name: build-artifacts | ||
| path: artifact* | ||
| # ======================================================== |
There was a problem hiding this comment.
The comment mentions "all binaries that you generate provenance for" but the example code generates text files, not binaries. This inconsistency between the comment and the example could be confusing.
Consider updating the comment to be more generic (e.g., "all artifacts") or updating the example to generate actual binary artifacts to match the comment.
| files=$(compgen -G "artifact*" || true) | ||
| if [ -z "$files" ]; then | ||
| echo "Error: no artifacts found matching pattern 'artifact*'." >&2 | ||
| exit 1 | ||
| fi | ||
| # Generate the subjects (base64 encoded). | ||
| echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" |
There was a problem hiding this comment.
The variable files may contain newlines if multiple files match the pattern, which could cause issues with the unquoted variable expansion in the sha256sum command on line 59. If filenames contain spaces or special characters, this could lead to incorrect behavior or security issues.
Consider using a safer approach such as:
- Using an array to store filenames
- Quoting the variable properly
- Using find with -print0 and xargs -0 for more robust file handling
| files=$(compgen -G "artifact*" || true) | |
| if [ -z "$files" ]; then | |
| echo "Error: no artifacts found matching pattern 'artifact*'." >&2 | |
| exit 1 | |
| fi | |
| # Generate the subjects (base64 encoded). | |
| echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}" | |
| mapfile -t files < <(compgen -G "artifact*" || true) | |
| if [ "${#files[@]}" -eq 0 ]; then | |
| echo "Error: no artifacts found matching pattern 'artifact*'." >&2 | |
| exit 1 | |
| fi | |
| # Generate the subjects (base64 encoded). | |
| echo "hashes=$(sha256sum "${files[@]}" | base64 -w0)" >> "${GITHUB_OUTPUT}" |
| needs: [build] | ||
| permissions: | ||
| actions: read # To read the workflow path. | ||
| id-token: write # To sign the provenance. |
There was a problem hiding this comment.
The workflow sets upload-assets: true which attempts to upload provenance to a release, but the workflow can be triggered by workflow_dispatch (manual trigger) when there is no release event. This will cause the provenance job to fail when manually triggered.
Consider either:
- Removing
workflow_dispatchfrom the triggers if assets should only be uploaded during releases - Making
upload-assetsconditional based on the trigger type - Setting
upload-assets: falseand handling asset uploads separately
Co-authored-by: paulthanson082-glitch <252514830+paulthanson082-glitch@users.noreply.github.com>
Co-authored-by: paulthanson082-glitch <252514830+paulthanson082-glitch@users.noreply.github.com>
…xecution Add `specify run` command for script execution
…-script-execution Revert "Add `specify run` command for script execution"
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| outputs: | ||
| digests: ${{ steps.hash.outputs.digests }} | ||
|
|
There was a problem hiding this comment.
outputs.digests references steps.hash.outputs.digests, but the hash step writes hashes=... to $GITHUB_OUTPUT (so steps.hash.outputs.digests will be empty). Rename the emitted output key to digests (or update all references to use hashes) so base64-subjects gets the expected value.
| name: SLSA generic generator | ||
| on: | ||
| workflow_dispatch: | ||
| release: | ||
| types: [created] |
There was a problem hiding this comment.
This workflow doesn’t set explicit permissions for GITHUB_TOKEN. Other workflows in this repo do (e.g., .github/workflows/lint.yml:2-3, .github/workflows/docs.yml:15-18, .github/workflows/release.yml:16-18). Add minimal permissions (likely contents: read for build, and only what’s needed for provenance) to follow the repo’s pattern and reduce token scope.
This workflow generates SLSA provenance files for projects, satisfying level 3 requirements. It includes steps for building artifacts and generating subjects for provenance.