-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make Gitpod SLSA Level 1 compliant by providing in-toto provenance #7387
Conversation
|
/werft run no-preview 👍 started the job as gitpod-build-cw-bump-leeway.33 |
/approve |
/lgtm |
LGTM label has been added. Git tree hash: 268ef24c1baa555f218606f7139de1e3abab520f
|
/assign @laushinka @mrsimonemms |
/approve |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: akosyakov, corneliusludmann, csweichel, JanKoehnlein Associated issue requirement bypassed by: akosyakov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Description
This PR updates leeway to the latest release which supports generating SLSA provenance as part of the build. With this change, for every subsequent build, we find out what went into this build. In the future, with the addition of signatures (already supported by leeway), we can find out if the build - or the leeway cache - has been tampered with.
Use-cases for this change:
See below's Loom video for more detail.
Caveats
.gradle/
orgo/
directories. leeway has a fallback mode where if the working copy is dirty, it collects the materials from the package sources directly. We want to get to a state where build from a clean working copy, to ensure that we're truly building directly from Git.How to test
Best way is to inspect the provenance generated for the build:
Release Notes