Create generator-generic-ossf-slsa3-publish.yml #609
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ghost
marked this pull request as ready for review
yeongpin
approved these changes
Apr 14, 2025
Owner
| provenance / generatorMissing download info for actions/upload-artifact@83fd05a -- provenance / detect-envThe `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ provenance / detect-envThe `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ [provenance / generator](https://github.com/yeongpin/cursor-free-vip/actions/runs/14437610707/job/40481337448#step:1:26) Missing download info for actions/upload-artifact@83fd05a [provenance / detect-env](https://github.com/yeongpin/cursor-free-vip/actions/runs/14437610707/job/40481321518#step:3:10) The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ [provenance / detect-env](https://github.com/yeongpin/cursor-free-vip/actions/runs/14437610707/job/40481321518#step:3:9) The `set-output` command is deprecated and will be disabled soon. Please upgrade to using Environment Files. For more information see: https://github.blog/changelog/2022-10-11-github-actions-deprecating-save-state-and-set-output-commands/ |
Sazwanismail
added a commit
to Sazwanismail/Sazwan-ismail
that referenced
this pull request
Sep 19, 2025
The `generator-generic-ossf-slsa3-publish.yml` is a GitHub Actions workflow file designed to generate **SLSA Level 3 provenance** for software artifacts. This helps enhance software supply chain security by providing verifiable information about the build process, sources, and integrity of released artifacts. Below is a detailed explanation based on the search results:
---
### 📋 1. **Purpose and Function**
- The workflow generates **non-forgeable SLSA Level 3 provenance** for artifacts built using GitHub Actions. This provenance includes details such as the build environment, source code origin, and steps used to create the artifact, helping users verify authenticity and integrity .
- It is part of the **SLSA framework** (Supply Chain Levels for Software Artifacts), an OpenSSF initiative to prevent tampering and improve trust in open-source software .
---
### ⚙️ 2. **Workflow Structure**
The workflow consists of two main jobs:
- **Build Job**: Generates artifacts and computes their SHA256 hashes.
- **Provenance Job**: Uses the `slsa-framework/slsa-github-generator` to generate and sign provenance documents.
Example snippet:
```yaml
jobs:
build:
runs-on: ubuntu-latest
outputs:
digests: ${{ steps.hash.outputs.digests }}
steps:
- uses: actions/checkout@v4
- name: Build artifacts
run: |
echo "artifact1" > artifact1
echo "artifact2" > artifact2
- name: Generate subject for provenance
id: hash
run: |
files=$(ls artifact*)
echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
provenance:
needs: [build]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.build.outputs.digests }}"
upload-assets: true
```
---
### 🔧 3. **Key Steps**
1. **Artifact Build**: Projects build artifacts using their preferred tools and languages.
2. **Hash Generation**: SHA256 checksums of artifacts are computed and base64-encoded.
3. **Provenance Generation**: The SLSA generic generator workflow is invoked to create a signed provenance file (in [in-toto](https://in-toto.io/) format).
4. **Upload**: The provenance file can be attached to GitHub releases for verification .
---
### 🔍 4. **Verification**
Users can verify artifacts using the `slsa-verifier` CLI tool:
```bash
slsa-verifier \
--artifact-path <artifact> \
--provenance <provenance-file> \
--source <expected-repo> \
--tag <expected-tag>
```
This checks the provenance against the artifact and build parameters .
---
### 🛡️ 5. **Security Benefits**
- **Prevents Attacks**: Mitigates rollback attacks, repository hijacking, and unauthorized builds by ensuring artifacts come from trusted sources and workflows .
- **Build Transparency**: Exposes detailed build steps and parameters, allowing users to validate the build process .
---
### 💡 6. **Adoption Examples**
- Projects like `urllib3`, `ko`, and `grpc-gateway` use this workflow .
- The `cursor-free-vip` project attempted to adopt it (see [PR #609](yeongpin/cursor-free-vip#609)) but reverted the change later .
---
### 📌 7. **Important Notes**
- **Permissions**: The workflow requires `id-token: write` for signing and `contents: write` for uploading assets .
- **Language Agnostic**: Works with any programming language or build tool .
---
For more details, refer to the [official SLSA documentation](https://slsa.dev) or the [SLSA GitHub generator repository](https://github.com/slsa-framework/slsa-github-generator).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.