Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: support for BYOB verification #562

Merged
merged 5 commits into from
Apr 19, 2023
Merged

feat: support for BYOB verification #562

merged 5 commits into from
Apr 19, 2023

Conversation

laurentsimon
Copy link
Contributor

@laurentsimon laurentsimon commented Apr 18, 2023
edited
Loading

CLI tests will need to be added once we have a non RC release.
I have made the builder-id a mandatory option, to ensure there is no bias towards GitHub as default trusted builders.

Will need a follow-up PR to add exception to allow certain workflows to be referenced at main for testing.

ianlewis
ianlewis approved these changes Apr 19, 2023
View reviewed changes
verifiers/internal/gha/provenance.go Outdated Show resolved Hide resolved
verifiers/internal/gha/npm.go Outdated
@@ -21,6 +21,8 @@ import (

const (
publishAttestationV01 = "https://github.com/npm/attestation/tree/main/specs/publish/"
builderGitHubRunnerID = "https://github.com/actions/runner"
ossfNpmBuilderID = "https://github.com/slsa-framework/slsa-github-generator/.github/workflows/builder_nodejs_slsa3.yml"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess you don't actually need this anymore since the builder-id option is required?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch. You're correct, I'll remove it.

laurentsimon and others added 4 commits April 19, 2023 18:47
@laurentsimon
update
a11ba29 
Signed-off-by: laurentsimon <laurentsimon@google.com>
@laurentsimon @ianlewis
Update verifiers/internal/gha/provenance.go
a615f23 
Co-authored-by: Ian Lewis <ianlewis@google.com>
Signed-off-by: laurentsimon <64505099+laurentsimon@users.noreply.github.com>
@laurentsimon
update
50d53b9 
Signed-off-by: laurentsimon <laurentsimon@google.com>
@laurentsimon
update
aec33dc 
Signed-off-by: laurentsimon <laurentsimon@google.com>
@laurentsimon laurentsimon enabled auto-merge (squash) April 19, 2023 18:47
@laurentsimon
update
7e2a281 
Signed-off-by: laurentsimon <laurentsimon@google.com>
@laurentsimon laurentsimon merged commit c0cadc0 into slsa-framework:main Apr 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ianlewis ianlewis ianlewis approved these changes

@asraa asraa Awaiting requested review from asraa

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@laurentsimon @ianlewis