[improvement] Document or provide usage for how to re-run/backfill provenance generation on failure #1190
Comments
asraa
added
type:documentation
|
Another request here about backfilling SLSA provenance: The most simple way would only be if the build is reproducible and is re-executed in the workflow at a certain tag which can be given as a tag parameter of the caller workflow. We could even expedite the upload asset part with #713 |
asraa
changed the title
Can you share a pointer to doc or steps describing - how this can be done in Github. In case of our project |
Working on it now with an example project! |
|
@johanbrandhorst @droot I was working on a re-trigger for grpc-gateways workflow.
However, when trying with grpc-gateway, I didn't get reproducible builds. This is the workflow that I've been running on my own fork https://github.com/asraa/grpc-gateway/blob/master/.github/workflows/release.yml. @droot I can also take a look at yours. |
|
That's fair enough, I can't say why we don't have reproducible builds, the build timestamp might be making it into the binary without some extra build arguments. Feel free to just make it easy to dry-run test the workflow without trying to recreate previous releases. |
Sounds good, expect a PR on your end soon! |
ianlewis
added
type:discussion
per some conversation with @droot on using the workflows
Describe the bug
Right now, if a project performs a release that generates SLSA provenance, and the provenance generation step fails, then they not have a GitHub release at a tag that does not contain the provenance. They may need to update the builder or change the workflow. They also prefer immutable tags and not force pushing tags after the fix. There are some alternatives and things we can suggest:
Either way, we should add some documentation to the README.md for suggested usage. Let's definitely suggest the preventative approach.
The text was updated successfully, but these errors were encountered: