Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add support for GitHub provenances passed as input #732

Merged
merged 1 commit into from
May 8, 2024
Merged

feat: add support for GitHub provenances passed as input #732

merged 1 commit into from
May 8, 2024

Conversation

behnazh-w
Copy link
Member

@behnazh-w behnazh-w commented May 7, 2024
edited
Loading

GitHub has announced the Artifact Attestations feature to generate SLSA provenances for artifacts built on GitHub. This PR adds support for such provenances when passed as input.

To test this feature, the attestation generated on an example maven project is passed as input, and the policy enforcement and generated VSA are checked.

We will add support for discovering the provenances and verifying their signatures for a software component in upcoming PRs.

@behnazh-w
feat: add support for GitHub provenances passed as input
9141972 
Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
@oracle-contributor-agreement oracle-contributor-agreement bot added the OCA Verified All contributors have signed the Oracle Contributor Agreement. label May 7, 2024
@behnazh-w behnazh-w marked this pull request as ready for review May 7, 2024 23:24
@behnazh-w behnazh-w requested a review from tromai as a code owner May 7, 2024 23:24
@behnazh-w behnazh-w self-assigned this May 7, 2024
@behnazh-w behnazh-w requested a review from nathanwn May 7, 2024 23:37
@behnazh-w behnazh-w added the slsa-provenance The issues related to SLSA provenances label May 8, 2024
nathanwn
nathanwn approved these changes May 8, 2024
View reviewed changes
Copy link
Member

@nathanwn nathanwn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think I have anything to add. Thanks for the PR.

tromai
tromai approved these changes May 8, 2024
View reviewed changes
Copy link
Member

@tromai tromai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks for the changes.

@behnazh-w behnazh-w merged commit d5920fc into staging May 8, 2024
11 checks passed
@nathanwn nathanwn deleted the behnazh/accept-signed-prov-file branch May 8, 2024 02:49
@behnazh-w behnazh-w mentioned this pull request Nov 4, 2024
Open
art1f1c3R pushed a commit that referenced this pull request Nov 29, 2024
@behnazh-w
feat: add support for GitHub provenances passed as input (#732)
405ecff 
GitHub has announced the Artifact Attestations feature to generate SLSA provenances for artifacts built on GitHub. This PR adds support for such provenances when passed as input.

To test this feature, the attestation generated on an example maven project is passed as input, and the policy enforcement and generated VSA are checked.

Signed-off-by: behnazh-w <behnaz.hassanshahi@oracle.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nathanwn nathanwn nathanwn approved these changes

@tromai tromai tromai approved these changes

Assignees

@behnazh-w behnazh-w

Labels
OCA Verified All contributors have signed the Oracle Contributor Agreement. slsa-provenance The issues related to SLSA provenances
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@behnazh-w @tromai @nathanwn