Giter VIP home page Giter VIP logo

Comments (6)

bdehamer avatar bdehamer commented on August 19, 2024

We don't have a good way to support this use case currently. The identity which is embedded in the attestation is derived from the repository associated with the workflow. This means that the repository and git commit referenced in the provenance attestation would refer to the private build repo, not the public source repo.

To leverage provenance attestations today you'd have to co-locate your source code and your build workflow in the same repository.

from attest-build-provenance.

alexrp avatar alexrp commented on August 19, 2024

Could this realistically be supported in the future? Or is this fundamental to how attestation works?

from attest-build-provenance.

bdehamer avatar bdehamer commented on August 19, 2024

I think that it may be possible to support something like this in the future, but will probably require that attestation support get baked-in to the GitHub Actions system as a first-class feature. In it's current form, the provenance attestation really requires that the source and the build workflow be located in the same repository.

from attest-build-provenance.

johnbillion avatar johnbillion commented on August 19, 2024

Noting that this also affects workflows that use a reusable workflow from another repo to create the attestation. The attestation refers to the reusable workflow rather than the workflow that used it, and if that exists in another repo then the attestation won't be verifiable.

from attest-build-provenance.

bdehamer avatar bdehamer commented on August 19, 2024

@johnbillion I think the use case you're describing is a bit different. We definitely support verification of attestations created with reusable workflows from different repositories. See the information about using the --signer-repo and --signer-workflow flags here.

from attest-build-provenance.

johnbillion avatar johnbillion commented on August 19, 2024

@bdehamer Thanks!

from attest-build-provenance.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.