This commit is contained in:
laurentsimon
2022-08-01 15:00:08 +00:00
parent 30f1eecad1
commit aec987bfb5
2 changed files with 9 additions and 7 deletions
+7 -5
View File
@@ -3,9 +3,8 @@
# separate terms of service, privacy policy, and support
# documentation.
# This workflow lets you compile your Go project using a SLSA3 compliant builder
# This workflow will generate a so-called "provenance" file describing the steps
# that were performed to generate the final binary.
# This workflow lets you generate SLSA provenance file for your project.
# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
# The project is an initiative of the OpenSSF (openssf.org) and is developed at
# https://github.com/slsa-framework/slsa-github-generator.
# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
@@ -26,7 +25,7 @@ jobs:
digests: ${{ steps.hash.outputs.digests }}
steps:
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3
uses: actions/checkout@v3
# ========================================================
#
@@ -52,7 +51,10 @@ jobs:
run: |
set -euo pipefail
echo "::set-output name=digests::$(sha256sum artifact1 artifact2 | base64 -w0)"
# List the artifacts the provenance will refer to.
files=$(ls artifact*)
# Generate the subjects (base64 encoded).
echo "::set-output name=digests::$(sha256sum $files | base64 -w0)"
provenance:
needs: [build]
@@ -2,6 +2,6 @@
"name": "SLSA Generic generator",
"creator": "Open Source Security Foundation (OpenSSF)",
"description": "Generate SLSA3 provenance for your existing release workflows",
"iconName": "go-ossf-slsa3-publish",
"categories": ["Continuous integration"]
"iconName": "generator-generic-ossf-slsa3-publish",
"categories": ["Continuous integration", "Go", "Elixir", "Erlang", "PHP", "Haskell", "Rust", "Java", "Scala", "Gradle", "Maven", "Python", "C", "C++", "TypeScript", "JavaScript", "npm", "Ruby", "HTML", "Composer", "Makefile", "Ada"]
}