New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Proposal] add provenance document creation support based on in-toto attestations #2737
Comments
maybe we can approach this issue from a different angle, we can use slsa-provenance CLI from philips-labs to generate an SLSA provenance, then we can sign and attach it using cosign under the hood instead of generating it our own in GoReleaser. or we can use this: slsa-framework/github-actions-demo |
I think we can experiment running the action before running goreleaser, then just adding the file to the release and signing it |
scratch that, it needs to run after... so, not sure if we use the action directly or integrate it more properly with goreleaser maybe its possible to use the signs config for it? 🤔 |
I think the slsa-provenance type could work (it's still an in-toto type). Let me know if there is anything I can help w/ it |
Happy to have a chat on how we can integrate slsa-provenance with goreleaser. We are using goreleaser as well for releasing the slsa-provenance-action. "chicken and egg" problem to release our own thing with goreleaser, once the provenance feature is added. |
hey @marcofranssen , feel free to ping me on our discord! https://discord.gg/RGEBtg8vQ6 |
is there someone interested in working on this? |
There is also another project that can help us. It generates an attestation (based on SLSA) and stores it in a Rekor public transparency log server provided by the sigstore community. > https://github.com/slsa-framework/slsa-github-generator-go |
@Dentrax, let's give it a try? |
ping @Dentrax |
I'd like to propose the same UX that was being proposed by @wagoodman in his Syft integration to GoReleaser (#2597)
|
@developer-guy lgtm! |
Hey! As mentioned before, we've been creating trusted builders using reuseable workflows to generate slsa provenance. for golang, we modeled our config after goreleaser. The reusable workflow guarantees isolation from the calling workflow (the projects) maintainer's from interfering with the build and provenance generation, something unique to reuseable workflows over actions because env variables and defaults don't propogate to them. I'm wondering if it's possible to support a goreleaser "reuseable workflow" that can use the same goreleaser binary and config, but guarantees a strong isolation over an action. Taking a look at https://github.com/slsa-framework/slsa-github-generator/blob/675472104f54a100560e96e8090921390a77cadf/.github/workflows/builder_go_slsa3.yml#L84-L88, the steps of our builder does:
If goreleaser supports a dry run for the build, then we could directly substitute the goreleaser build. There may be some flags and environment vars goreleaser may allow that we don't currently allow, but TBD |
I thought that GoReleaser could use these SLSA provenance generators that were out there, such as slsa-framework/slsa-github-generator, philips-labs/slsa-provenance-action, but @asraa gave another idea, and she tell us that IIUC, we could make GoReleaser is a part of its provenance generator for building binaries, that is so interesting, and we should discuss on that @caarlos0 |
yes, tbh I'm not well versed in all that and don't know how most of it works, so maybe we could chat about it on discord or something (or here too, wherever you prefer 🙏) |
Please keep me in the loop as well. I work with @asraa on slsa-framework/slsa-github-generator. |
@laurentsimon will probably keep posting here and/or in our discord |
Has anybody started work on this yet? Maybe we can integrate the slsa-github-generator as a lib. |
I don't think anyone is working on it, no, wanna give it a try? |
Hey! Recently @laurentsimon and I have been working on creating an "action wrapper" that reaches SLSA 3, and we thought of GoReleaser Action as the perfect candidate for that. We are targetting the next quarter or two for GA of it -- it may make sense @Dentrax to integrate with this. If you're interested, we can share how to do that! (It's a lot more lightweight than reconstructing libraries or coding. Just workflow templating) |
We can showcase a demo in a few weeks. What's the best way to get in touch? slack? |
I'm on discord, I think @Dentrax is too. |
count me in ! |
hey! we are one step closer. I have a "POC" that performs a goreleaser build and creates Sigstore signed SLSA 3 provenance. There's obvious missing parts that I didn't do yet:
Here's the test run: https://github.com/asraa/slsa-on-github-test/actions/runs/4017434808 producing the goreleaser artifacts in Here is the SLSA 3 goreleaser workflow (that wraps the action): https://github.com/asraa/slsa-on-github/blob/main/.github/workflows/goreleaser_slsa3.yml Let's chat! I'll definitely need some help writing docs, testing, making examples. |
Here's another PoC for anchor sbom-action (the reusable workflow are just copied from @asraa 's example): You can define arguments inputs (mirroring the original Action): and pass it to the original Action: |
gently pint: what's the state of this one? |
We have done an integration for jreleaser, see https://slsa.dev/blog/2023/08/bring-your-own-builder-github and https://github.com/jreleaser/release-action/tree/v1.1.0-java. |
hey @laurentsimon Yeah, seems like jreleaser's slsa integration is easier to use than the example from that blog post... I think it would be nice to do something similar... cc/ @developer-guy wdyt? |
Note that are are also security considerations:
|
great resources, thanks for sharing! |
np. To be fair on the runner, we have slsa-framework/slsa-github-generator#1868 which may fix it :) |
Will any of you attend KubeCon Paris? |
ouch, I did not see the thumb up :/ Anyone attending OSS@NA? |
I'll be there, as will some other in-toto/attestation folks. |
Is your feature request related to a problem? Please describe.
This is a feature, not related to a problem.
Describe the solution you'd like
Attestations are more like a document/record to give details about how the software was built. in-toto provides/defines very detailed documents for it, so, GoReleaser can generate software provenance documents based on in-toto attestations IMHO.
Tekton Chains is also creating this document based on its format.
Additional context
cc: @dlorenc @caarlos0 @Dentrax @adityasaky @SantiagoTorres
The text was updated successfully, but these errors were encountered: