Experimental: Use SLSA generic workflow for generating provenances #3166
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rbehjati
changed the title
rbehjati
requested review from
conradgrobler,
mariaschett and
a team
and removed request for
a team
ipetr0v
approved these changes
Aug 25, 2022
conradgrobler
approved these changes
Aug 25, 2022
mariaschett
approved these changes
Aug 25, 2022
| base64-subjects: '${{ needs.build_provenance.outputs.hashes }}' | ||
| # Set a custom name for the provenance attestation. | ||
| attestation-name: 'oak_functions_loader_base.intoto.jsonl' | ||
| # Upload provenance to a new release |
There was a problem hiding this comment.
Out of curiousity: Where does this upload to?
There was a problem hiding this comment.
It is GitHub's internal storage or something. These files get attached to the action. Similar to the SARIF file in this action: https://github.com/project-oak/oak/actions/runs/2920567892.
| @@ -18,6 +21,7 @@ jobs: | |||
| OAK_FUNCTIONS_BASE_PATH: './target/x86_64-unknown-linux-musl/release/oak_functions_loader_base' | |||
| OAK_FUNCTIONS_UNSAFE_PATH: './target/x86_64-unknown-linux-musl/release/oak_functions_loader_unsafe' | |||
| OAK_BAREMETAL_CROSVM_PATH: './experimental/oak_baremetal_app_crosvm/target/x86_64-unknown-none/release/oak_baremetal_app_crosvm' | |||
| OAK_FUNCTIONS_RELEASE_PATH: './target/x86_64-unknown-linux-musl/release' | |||
There was a problem hiding this comment.
We use the we could use the OAK_FUNCTIONS_RELEASE_PATH in OAK_FUNCTIONS_BASE_PATH and OAK_FUNCTIONS_UNSAFE_PATH.
There was a problem hiding this comment.
Exactly. I thought I'd fix this after I am done with the experiment :)
|
Reproducibility Index: Reproducibility Index diff: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR adds a new job to the provenance workflow to generate a signed provenance using the generic SLSA generator (based on the instructions for using generator_generic_slsa3). This is in an experimental state, since it is not possible to trigger the generator on pull-request events. I have added
workflow_dispatchas a trigger for the provenance workflow. Once this is merged it is possible to experiment with provenance generation.If that is successful, I'll cleanup and complete the added step.
For more context also see: slsa-framework/slsa-github-generator#731
Ref #2626.