Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Consider adding SLSA provenance to releases #3627

Open
udf2457 opened this issue Apr 30, 2024 · 2 comments
Open

Consider adding SLSA provenance to releases #3627

udf2457 opened this issue Apr 30, 2024 · 2 comments

Comments

@udf2457
Copy link

udf2457 commented Apr 30, 2024

Please consider adding SLSA provenance to your releases.

Some examples of using Github and goreleaser:

https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-goreleaser
https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator

Background info:
https://docs.sigstore.dev/signing/overview/
@joe-elliott
Copy link
Member

Thanks for the suggestion. I am not opposed to this if you (or anyone else) would like to attempt a PR.

@udf2457
Copy link
Author

udf2457 commented May 3, 2024
edited

Thanks @joe-elliott , I am tied down with $work at the moment until (at least) July/August.

But if I get a chance I might experiment with a PR, I also see Github have just (2 May) announced something that might potentially simplify the process even further: https://github.blog/changelog/2024-05-02-artifact-attestations-public-beta/

Meanwhile, as you say, if anyone else wants to help...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joe-elliott @udf2457