Comments (6)
We don't have a good way to support this use case currently. The identity which is embedded in the attestation is derived from the repository associated with the workflow. This means that the repository and git commit referenced in the provenance attestation would refer to the private build repo, not the public source repo.
To leverage provenance attestations today you'd have to co-locate your source code and your build workflow in the same repository.
from attest-build-provenance.
Could this realistically be supported in the future? Or is this fundamental to how attestation works?
from attest-build-provenance.
I think that it may be possible to support something like this in the future, but will probably require that attestation support get baked-in to the GitHub Actions system as a first-class feature. In it's current form, the provenance attestation really requires that the source and the build workflow be located in the same repository.
from attest-build-provenance.
Noting that this also affects workflows that use a reusable workflow from another repo to create the attestation. The attestation refers to the reusable workflow rather than the workflow that used it, and if that exists in another repo then the attestation won't be verifiable.
from attest-build-provenance.
@johnbillion I think the use case you're describing is a bit different. We definitely support verification of attestations created with reusable workflows from different repositories. See the information about using the --signer-repo
and --signer-workflow
flags here.
from attest-build-provenance.
@bdehamer Thanks!
from attest-build-provenance.
Related Issues (20)
- Add option to suppress job summary HOT 3
- Akcja
- ## Resolve SwiftLint warning: `'variable_name' has been renamed to 'identifier_name' and will be completely removed in a future release.`
- jajaj
- Allow wildcards / globs also for multiple `subject-path`s HOT 3
- Fraza
- JAKE
- > This makes the repo structure easier to understand and enables syntax highlighting when editing templates as well as Markdown rendering on GitHub.
- Expansion of environment variables as part of `subject-path`s does not work HOT 2
- Exclude artifacts when using globbing HOT 3
- We have a [job-global environment variable](https://github.com/oss-review-toolkit/ort/blob/2c0dc49adc3354a3dbc4c0fd1f417b73b1170b13/.github/workflows/release.yml#L19-L20) that is successfully used in other build steps, but that does not get expanded as part of [defined `subject-path`s](https://github.com/oss-review-toolkit/ort/blob/2c0dc49adc3354a3dbc4c0fd1f417b73b1170b13/.github/workflows/release.yml#L61-L65), see [this error](https://github.com/oss-review-toolkit/ort/actions/runs/9790307640/job/27031648283#step:8:52).
- `Attestations Created` output should be improved HOT 1
- Failed to get ID token: error in secret or public key callback: socket hang up HOT 11
- gut
- Azure
- Add instructions for verifying the attestations using `cosign` HOT 2
- Attestations are printed twice? HOT 1
- Mh, should we really have two proto packages in the same dir. Maybe it's easiest to just have a `prometheus` package – we can break them up when we find them getting too busy.
- [![Add to Ecosystem WG Project](https://github.com/jalleeeee/electron-quick-start/actions/workflows/add-to-project.yml/badge.svg?event=create)](https://github.com/jalleeeee/electron-quick-start/actions/workflows/add-to-project.yml) HOT 2
- Error: InternalError: error creating signing certificate - FetchError: network timeout at: https://fulcio.sigstore.dev/api/v2/signingCert HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from attest-build-provenance.