Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[discussion] Revisit internalParameters #2208

Open
ianlewis opened this issue Jun 2, 2023 · 0 comments
Open

[discussion] Revisit internalParameters #2208

ianlewis opened this issue Jun 2, 2023 · 0 comments
Labels
area:BYOB An issue with the BYOB framework type:discussion A point of discussion
Milestone
Support for SLSA ...

Comments

@ianlewis
Copy link
Member

ianlewis commented Jun 2, 2023
edited
Loading

https://slsa.dev/provenance/v1#builddefinition states for internalParameters:

There is no need to verify these parameters because the build platform is already trusted, and in many cases it is not practical to do so.

This brings up whether our use of internalParameters is correct. We need to verify some information from the internal parameters. It's currently used by builderTriggerInfo which is then used to get the source URI and workflow path for verification. We also verify a number of values from these parameters.

We add most GITHUB_* environment variables to these parameters since they are set by GitHub Actions and not directly by the user but perhaps some like GITHUB_REPOSITORY should actually be considered under the user's control and be set in the externalParameters?

/cc @laurentsimon @asraa

Related to #2186, #1200
@ianlewis ianlewis added type:discussion A point of discussion area:BYOB An issue with the BYOB framework labels Jun 2, 2023
@ianlewis ianlewis added this to the Support for SLSA v1.0 milestone Jun 2, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area:BYOB An issue with the BYOB framework type:discussion A point of discussion
Projects
None yet
Milestone
Support for SLSA v1.0
Development

No branches or pull requests
1 participant
@ianlewis