Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add GitHub Artifact Attestations post #56

Merged
Merged
Changes from 1 commit
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
Update
Signed-off-by: Ian Lewis <ianmlewis@gmail.com>
ianlewis committed May 23, 2024
commit bbc8e6cbb99c96b07ae04e3f037add2dfe6eabe0
20 changes: 12 additions & 8 deletions en/_posts/2024-05-23-understanding-github-artifact-attestations.md
Original file line number Diff line number Diff line change
@@ -37,8 +37,8 @@ about how GitHub Artifact Attestations work and their relation to SLSA levels.
Generating attestations is done using the
[`attest-build-provenance`](https://github.com/actions/attest-build-provenance)
GitHub action. Github’s blog post does a good job of explaining how it works so
I won’t rehash it fully here. I’ll just summarize the flow and highlight some
additional information that will be important later.
I won’t rehash it fully here. Instead, I’ll summarize the flow and highlight
some additional information that will be important later.

1. `attest-build-provenance` requests an OIDC token from the GitHub OIDC
provider. This OIDC token contains [information about the
@@ -184,15 +184,19 @@ for GitHub’s official CLI tool.
3. The expected values for the owner or repo given by the user are matched
against the signing certificate’s OID claims.

Notice that nowhere here did we actually use the contents of the SLSA
predicate for verification. We’ll discuss why this is below.
Notice that nowhere here did we actually use the contents of the SLSA predicate
for verification. I think this is an oversight but we’ll discuss why that might
have been omitted below.

Next, let's discuss some of the trade-offs of this architecture.

<!-- TODO: PR on the gh CLI repo? -->

## A Good User Experience

By providing a GitHub Action, GitHub gives users the maximum amount of
flexibility when integrating this into their GitHub Actions workflows. It’s
really easy to add a job step to your workflow and pass it a path to your
artifact file.
By providing a GitHub Action, GitHub gives users flexibility when integrating
this into their GitHub Actions workflows. It’s simple to add a job step to
your workflow and pass it a path to your artifact file.

```
- name: Attest Build Provenance