You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
For security reasons, id-token: write, attestations: write and other privilege usages should be minimized, so the privileges should not exist for code that performs "build" steps.
In other words, the best usage would be splitting the build+attest into separate steps:
build artifacts (without id-token: write)
attest the results
However, then the users would have to transfer the artifacts from build to the attest job.
Of course they can make a zip file, publish it from "build artifacts", download it in the attest job, and perform the attestation.
That would be wasteful though as the only needed bit is SHA of the file, so it would be better to generate a list of filename-checksum pairs in the "build artifact" job, and use the list in "attest the results" job.
What do you think of adding @actions/upload-checksums action that would generate checksums for the specified files. Then @actions/attest-build-provenance could use the list and generate the attestations for them?
The text was updated successfully, but these errors were encountered:
FWIW subject-path already supports multiple subjects though it does not seem to be documented as such.
It would also be great if a file containing subject paths were to be supported as input. Specifically JReleaser computes a list of release assets that should be attested
@vlsi this seems like a useful feature (and we've received a few other similar requests already). We'll consider this for the next round of improvements to the attestation actions. Thanks!
For security reasons,
id-token: write
,attestations: write
and other privilege usages should be minimized, so the privileges should not exist for code that performs "build" steps.In other words, the best usage would be splitting the build+attest into separate steps:
id-token: write
)However, then the users would have to transfer the artifacts from build to the attest job.
Of course they can make a zip file, publish it from "build artifacts", download it in the attest job, and perform the attestation.
That would be wasteful though as the only needed bit is SHA of the file, so it would be better to generate a list of filename-checksum pairs in the "build artifact" job, and use the list in "attest the results" job.
What do you think of adding
@actions/upload-checksums
action that would generate checksums for the specified files. Then@actions/attest-build-provenance
could use the list and generate the attestations for them?The text was updated successfully, but these errors were encountered: