Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

attestation: drop workflow check on core attestation #17331

Merged
merged 1 commit into from
May 18, 2024
Merged

attestation: drop workflow check on core attestation #17331

merged 1 commit into from
May 18, 2024

Conversation

woodruffw
Copy link
Member

@woodruffw woodruffw commented May 18, 2024
edited

  • Have you followed the guidelines in our Contributing document?
  • Have you checked to ensure there aren't other open Pull Requests for the same change?
  • Have you added an explanation of what your changes do and why you'd like us to include them?
  • Have you written new tests for your changes? Here's an example.
  • Have you successfully run brew style with your changes locally?
  • Have you successfully run brew typecheck with your changes locally?
  • Have you successfully run brew tests with your changes locally?

This follows the workflow changes I made in homebrew-core:

With those changes, (hopefully) all of our bottle-uploading workflows now produce provenance. However, this means we no longer have a single workflow to verify on. As a result, this change relaxes the check to allow any attestation from Homebrew/homebrew-core, not just ones from the original publish workflow. I've left a detailed comment on how to ratchet this back down, but I figured I'd fix the verification failure first and then work on that 馃檪

(This should not meaningfully impact the security model, since an attacker would still need to obtain access to an OIDC credential within the context of homebrew-core.)

@woodruffw
attestation: drop workflow check on core attestation
3319e99 
Signed-off-by: William Woodruff <william@yossarian.net>
@woodruffw woodruffw self-assigned this May 18, 2024
p-linnane
p-linnane approved these changes May 18, 2024
View reviewed changes
Copy link
Member

@p-linnane p-linnane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@p-linnane p-linnane merged commit 06abd32 into master May 18, 2024
25 checks passed
@p-linnane p-linnane deleted the ww/drop-workflow-check branch May 18, 2024 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@carlocab carlocab carlocab approved these changes

@p-linnane p-linnane p-linnane approved these changes

Assignees

@woodruffw woodruffw

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@woodruffw @carlocab @p-linnane