Github Action implementation of SLSA Provenance Generation of level 1
Report Bug
·
Request Feature
This GitHub action implements the level 1 requirements of the SLSA framework. By using this GitHub Action it is possible to easily generate the provenance file for different artifact types. Different artifact types include, but not limited to:
- Files
- Push event (Docker Hub, trigger different workflow, etc)
While there are no integrity guarantees on the produced provenance at L1, publishing artifact provenance in a common format opens up opportunities for automated analysis and auditing. Additionally, moving build definitions into source control and onto well-supported, secure build systems represents a marked improvement from the ecosystem's current state.
This is not an official GitHub Action set up and maintained by the SLSA team. This GitHub Action is built for research purposes by Philips Research. It is heavily inspired by the original Provenance Action example built by SLSA.
SLSA is a framework intended to codify and promote secure software supply-chain practices. SLSA helps trace software artifacts (e.g. binaries) back to the build and source control systems that produced them using in-toto's Attestation metadata format.
Get started quickly by reading the information below.
Ensure you have the following installed:
- Golang
- Docker
The following IDE is recommended when working on this codebase:
-
Clone the repo.
git clone [email protected]:philips-labs/slsa-provenance-action.git
-
Build the binary.
make build
-
Execute the binary.
./bin/slsa-provenance help
Our Docker images are available at both GitHub Container Registry (ghcr) and Docker Hub.
Docker Hub See all available images here. Run the Docker image by doing:
docker run philipssoftware/slsa-provenance:v0.2.0GitHub Container Registry See all available images here. Run the Docker image by doing:
docker run ghcr.io/philips-labs/slsa-provenance:v0.2.0The Docker image includes the working binary that can be executed by using the slsa-provenance command.
The easiest way to use this action is to add the following into your workflow file. Additional configuration might be necessary to fit your usecase.
GitHub Releases
Add the following part in your workflow file:
See ci workflow for a full example using GitHub releases.
⚠️ NOTE: this job depends on a release job that publishes the release assets to a GitHub Release.
provenance:
name: provenance
needs: [release]
runs-on: ubuntu-20.04
steps:
- name: Generate provenance for Release
uses: philips-labs/[email protected]
with:
artifact_path: release-assets
output_path: 'build.provenance'
tag_name: ${{ github.ref_name }}
env:
GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"GitHub artifacts
Add the following part in your workflow file:
See example workflow for a full example using GitHub artifacts.
generate-provenance:
name: Generate build provenance
runs-on: ubuntu-latest
steps:
- name: Download build artifact
uses: actions/download-artifact@v2
with:
path: artifact/
- name: Generate provenance
uses: philips-labs/SLSA-Provenance-Action@8c78a6b34703824b9561a26b1ae5893beea9a332
with:
artifact_path: artifact/
- name: Upload provenance
uses: actions/upload-artifact@v2
with:
path: build.provenanceAn action to generate SLSA build provenance for an artifact
| parameter | description | required | default |
|---|---|---|---|
| artifact_path | path to artifact or directory of artifacts | true |
|
| output_path | path to write build provenance file | true |
build.provenance |
| github_context | internal (do not set): the "github" context object in json | true |
${{ toJSON(github) }} |
| runner_context | internal (do not set): the "runner" context object in json | true |
${{ toJSON(runner) }} |
| tag_name | The github release to generate provenance on. | ||
| (if set the artifacts will be downloaded from the release and the provenance will be added as an additional release asset.) | |||
false |
- Generate Command that generates the provenance.
- Help Command that prints helpful information about what commands and arguments can be used.
- Version Command that prints version information about the binary that is used.
If you have a suggestion that would make this project better, please fork the repository and create a pull request. You can also simply open an issue with the tag "enhancement".
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
Please refer to the Contributing Guidelines for all the guidelines.
Distributed under the MIT License. See LICENSE for more information.
Powered by Philips SWAT Eindhoven
This project is inspired by:
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
React
Typescript
Django
Laravel
Facebook
Microsoft
Google
Alibaba
D3
Tencent