You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The container-based builder uses two resolved deps: one is the source, and one is the builder binary from this repository.
They are both represented as a ResourceDescriptor in the unordered ResolvedDependencies field of the SLSA v1.0 provenance.
My suggestions is to use an annotation "source" to hint at which was the source, so the slsa-verifier can make an informed decision.
We can keep the default behavior the same - that is, if there is only 1 resolved dep, use that as the source. if there are more than 1, we can use the annotations to narrow the list down.
This is a string-string map, so we can do something like
… fix internalParams (#2183)
Fixes#2182
This ensures that the source dependency comes first in the list of
resolved dependencies. This way, the verifier can identify the correct
source.
This will fix the container based e2e tests.
Also took the opportunity to clean up the predicate's internal
paremeters - no more github runner or other invalid fields.
---------
Signed-off-by: Asra Ali <asraa@google.com>
laurentsimon
pushed a commit
to laurentsimon/slsa-github-generator
that referenced
this issue
Jun 1, 2023
… fix internalParams (slsa-framework#2183)
Fixesslsa-framework#2182
This ensures that the source dependency comes first in the list of
resolved dependencies. This way, the verifier can identify the correct
source.
This will fix the container based e2e tests.
Also took the opportunity to clean up the predicate's internal
paremeters - no more github runner or other invalid fields.
---------
Signed-off-by: Asra Ali <asraa@google.com>
Signed-off-by: laurentsimon <laurentsimon@google.com>
The container-based builder uses two resolved deps: one is the source, and one is the builder binary from this repository.
They are both represented as a ResourceDescriptor in the unordered
ResolvedDependencies
field of the SLSA v1.0 provenance.My suggestions is to use an annotation "source" to hint at which was the
source
, so the slsa-verifier can make an informed decision.We can keep the default behavior the same - that is, if there is only 1 resolved dep, use that as the source. if there are more than 1, we can use the annotations to narrow the list down.
This is a string-string map, so we can do something like
the verifier can check presence of a
source
key in the annotation map with the valuetrue
.What do you think?
The text was updated successfully, but these errors were encountered: