Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

actions/attest-build-provenance #3220

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Conversation

lectrical
Copy link

Adding https://github.com/actions/attest-build-provenance to the ci builds so that the release assets and docker image for the next release tag generate signed build provenance attestations for workflow artifacts.

@emanuele6
Copy link
Member

It is erroring with:

Error: Failed to get ID token: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable

@lectrical
Copy link
Author

@emanuele6 that seems a permissions issue on the pr actions. It works in the local repo (except docker push which was working

https://github.com/lectrical/jq/actions/runs/12274537270

It's the normal error you expect if you forgot to add these https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#generating-build-provenance-for-binaries

Perhaps it should be skipped for pr requests anyway?

@lectrical
Copy link
Author

lectrical commented Dec 12, 2024

So according to this actions/attest-build-provenance#99 the issue is expected.

I think I can maybe make it skip this on a pr originating from a fork?

@lectrical
Copy link
Author

So that worked. The step is skipped unless a tag was pushed. I think that will only happen for a new release?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants