Skip to content

Add SLSA generic generator workflow #1573

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
paulthanson082-glitch wants to merge 9 commits into
base: main
Choose a base branch
from
+75 −0
Open

Add SLSA generic generator workflow #1573

Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
900021b
Add SLSA generic generator workflow
paulthanson082-glitch Feb 5, 2026
afb6009
Update .github/workflows/generator-generic-ossf-slsa3-publish.yml
paulthanson082-glitch Feb 5, 2026
4d98e10
Update .github/workflows/generator-generic-ossf-slsa3-publish.yml
paulthanson082-glitch Feb 5, 2026
ea38f91
Initial plan
Copilot Feb 6, 2026
de34ba3
Add 'run' command to execute Spec Kit scripts
Copilot Feb 6, 2026
28c9ce2
Clean up test artifacts
Copilot Feb 6, 2026
324ac78
Merge pull request #2 from paulthanson082-glitch/copilot/run-script-e…
paulthanson082-glitch Feb 7, 2026
9d726f3
Revert "Add `specify run` command for script execution"
paulthanson082-glitch Feb 7, 2026
287e964
Merge pull request #3 from paulthanson082-glitch/revert-2-copilot/run…
paulthanson082-glitch Feb 7, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
75 changes: 75 additions & 0 deletions .github/workflows/generator-generic-ossf-slsa3-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# This workflow lets you generate SLSA provenance file for your project.
# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
# The project is an initiative of the OpenSSF (openssf.org) and is developed at
# https://github.com/slsa-framework/slsa-github-generator.
# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.

name: SLSA generic generator
on:
workflow_dispatch:
release:
types: [created]
Comment on lines +13 to +17
Copy link

Copilot AI Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow doesn’t set explicit permissions for GITHUB_TOKEN. Other workflows in this repo do (e.g., .github/workflows/lint.yml:2-3, .github/workflows/docs.yml:15-18, .github/workflows/release.yml:16-18). Add minimal permissions (likely contents: read for build, and only what’s needed for provenance) to follow the repo’s pattern and reduce token scope.

Copilot uses AI. Check for mistakes.

jobs:
build:
runs-on: ubuntu-latest
outputs:
digests: ${{ steps.hash.outputs.digests }}

Comment on lines +22 to +24
Copy link

Copilot AI Feb 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

outputs.digests references steps.hash.outputs.digests, but the hash step writes hashes=... to $GITHUB_OUTPUT (so steps.hash.outputs.digests will be empty). Rename the emitted output key to digests (or update all references to use hashes) so base64-subjects gets the expected value.

Copilot uses AI. Check for mistakes.
steps:
- uses: actions/checkout@v4

# ========================================================
#
# Step 1: Build your artifacts.
#
# ========================================================
- name: Build artifacts
run: |
# These are some amazing artifacts.
echo "artifact1" > artifact1
echo "artifact2" > artifact2

- name: Upload build artifacts
uses: actions/upload-artifact@v4
with:
name: build-artifacts
path: artifact*
# ========================================================
Comment on lines +41 to +44
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment mentions "all binaries that you generate provenance for" but the example code generates text files, not binaries. This inconsistency between the comment and the example could be confusing.

Consider updating the comment to be more generic (e.g., "all artifacts") or updating the example to generate actual binary artifacts to match the comment.

Copilot uses AI. Check for mistakes.
#
# Step 2: Add a step to generate the provenance subjects
# as shown below. Update the sha256 sum arguments
# to include all binaries that you generate
# provenance for.
#
# ========================================================
- name: Generate subject for provenance
id: hash
run: |
set -euo pipefail

# List the artifacts the provenance will refer to.
files=$(compgen -G "artifact*" || true)
if [ -z "$files" ]; then
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The output variable name is inconsistent. Line 59 sets the output as 'hashes' but line 23 references it as 'digests'. This will cause the workflow to fail because the provenance job will receive an empty value.

Change line 59 to use 'digests' instead of 'hashes' to match the output reference, or update line 23 to reference 'hashes' instead of 'digests'.

Copilot uses AI. Check for mistakes.
echo "Error: no artifacts found matching pattern 'artifact*'." >&2
exit 1
fi
# Generate the subjects (base64 encoded).
echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is a mismatch between the output variable name and its usage. The script sets the output as "hashes" but it's referenced as "digests" in the job outputs (line 23) and when passed to the provenance job (line 65). This will cause the workflow to fail because the output variable will be undefined. Change "hashes" to "digests" to match the expected output name.

Suggested change
echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
echo "digests=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"

Copilot uses AI. Check for mistakes.
Comment on lines +58 to +64
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The variable files may contain newlines if multiple files match the pattern, which could cause issues with the unquoted variable expansion in the sha256sum command on line 59. If filenames contain spaces or special characters, this could lead to incorrect behavior or security issues.

Consider using a safer approach such as:

  • Using an array to store filenames
  • Quoting the variable properly
  • Using find with -print0 and xargs -0 for more robust file handling
Suggested change
files=$(compgen -G "artifact*" || true)
if [ -z "$files" ]; then
echo "Error: no artifacts found matching pattern 'artifact*'." >&2
exit 1
fi
# Generate the subjects (base64 encoded).
echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
mapfile -t files < <(compgen -G "artifact*" || true)
if [ "${#files[@]}" -eq 0 ]; then
echo "Error: no artifacts found matching pattern 'artifact*'." >&2
exit 1
fi
# Generate the subjects (base64 encoded).
echo "hashes=$(sha256sum "${files[@]}" | base64 -w0)" >> "${GITHUB_OUTPUT}"

Copilot uses AI. Check for mistakes.

provenance:
needs: [build]
permissions:
actions: read # To read the workflow path.
id-token: write # To sign the provenance.
Copy link

Copilot AI Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow sets upload-assets: true which attempts to upload provenance to a release, but the workflow can be triggered by workflow_dispatch (manual trigger) when there is no release event. This will cause the provenance job to fail when manually triggered.

Consider either:

  1. Removing workflow_dispatch from the triggers if assets should only be uploaded during releases
  2. Making upload-assets conditional based on the trigger type
  3. Setting upload-assets: false and handling asset uploads separately

Copilot uses AI. Check for mistakes.
contents: write # To add assets to a release.
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
with:
base64-subjects: "${{ needs.build.outputs.digests }}"
upload-assets: true # Optional: Upload to a new release
Loading