feat: verify provenance for bcr modules produced by trusted reusable workflows#840
Merged
ramonpetgrave64 merged 4 commits intoslsa-framework:mainfrom Apr 10, 2025
Merged
Conversation
Contributor
|
@loosebazooka thanks for doing this. Yes, so far this is what's needed. Try to get a sample attestation and unit test in this file (probably in a new test function), even if it's failing. |
Contributor
Author
|
well we're currently on the dev branch of the builder, so I don't think we want to submit this in anyway. Once we finalize the builder I'll actually add tests. |
|
FYI we have the first Bazel module published with attestations, and the presubmit fails since the reusable workflow isn't allow-listed here: bazelbuild/bazel-central-registry#4060 |
loosebazooka
force-pushed
the
addbcrverify
branch
from
84ba083 to
8b6d4dd
Compare
Contributor
Author
|
working on adding tests, I've updated to configure for both the release and publish workflows |
loosebazooka
force-pushed
the
addbcrverify
branch
from
8b6d4dd to
7bc2e49
Compare
loosebazooka
force-pushed
the
addbcrverify
branch
from
7bc2e49 to
b62c8af
Compare
loosebazooka
changed the title
loosebazooka
force-pushed
the
addbcrverify
branch
3 times, most recently
from
01b1958 to
b73d111
Compare
ramonpetgrave64
suggested changes
Mar 28, 2025
| @@ -0,0 +1,34 @@ | |||
| "Bazel dependencies" | |||
Contributor
There was a problem hiding this comment.
This is the sample artifact? For folks new to bazel, can you give a quick explainer for why this file is the artifact?
Contributor
Author
There was a problem hiding this comment.
Similar to a java pom.xml/go.mod or whatever. It lets bcr determine the dependency tree for a module.
verifiers/internal/gha/verifier.go
Outdated
| } | ||
|
|
||
| return verifyEnvAndCert(signedAtt.Envelope, signedAtt.SigningCert, | ||
| provenanceOpts, builderOpts, defaultBCRReusableWorkflows) |
Contributor
There was a problem hiding this comment.
I'm wondering it it makes more sense to add the new functionality in the existing VerifyArtifact()
And then depednig on the builder_id, it can decide how to extract the TriggerURI.
Member
There was a problem hiding this comment.
I'm curious what about this is specific to BCR since it looks to be just using the GitHub's attestation action. I tend to agree that this seems like this functionality could be added a bit more generically.
Contributor
Author
There was a problem hiding this comment.
Yeah that was the initial pathway I took. I wanted to flag behind experimental and only allow specific builderids. The initial path was very generic, and maybe I can go back to that. I also want to only allow sigstore signed attestations
I misunderstood the generic comment, I've reworked this for now.
| bcrReleaserBuilderID := "https://github.com/bazel-contrib/.github/.github/workflows/release_ruleset.yaml" | ||
| bcrPublisherBuilderID := "https://github.com/bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml" | ||
|
|
||
| tests := []struct { |
Contributor
There was a problem hiding this comment.
Add some negative tests for malicious attestations.
ianlewis
reviewed
Mar 29, 2025
cli/slsa-verifier/main.go
Outdated
| } | ||
| c.AddCommand(version.Version()) | ||
| c.AddCommand(verifyArtifactCmd()) | ||
| c.AddCommand(verifyBCRModuleCmd()) |
Member
There was a problem hiding this comment.
It looks like the workflow is just using actions/attest-build-provenance to create an attestation.
What about this requires specific command for bcr modules? Is it just that we are trusting a specific builder ID? Could this be a more generic command? If we want to limit verifying provenance generated by actions/attest-build-provenance to specific trusted builder IDs, could we just have an option like slsa-verifier verify-github-attestation --builder bazel-central-registry or something along those lines?
Contributor
Author
There was a problem hiding this comment.
I can change this to verify-github-attestation , I'm not deep enough into slsa land to understand the consequences here. Is the builderId spoofable in any way?
Contributor
Author
There was a problem hiding this comment.
oh right, builderId nees to match the SAN in the certificate
Member
There was a problem hiding this comment.
Yes. It's not spoofable because we check it against the certificate SAN (at least for sigstore which is all we support currently).
If we implemented private PKI in the future the consumer would presumably trust that the private key is only available to the build system that set the builder ID in that case.
mbland
added a commit
to mbland/rules_scala
that referenced
this pull request
Mar 31, 2025
Updates `.github/workflows/release.yml` and adds `publish-to-bcr.yml` for publishing to the Bazel Central Registry. Part of bazel-contrib#1482 broken out from bazel-contrib#1722. `release.yml` now uses the `release_ruleset` workflow from `bazel-contrib/.github`, which does everything `release.yml` did previously and adds SLSA provenance attestations. `release.yml` then invokes the new `publish-to-bcr.yml` workflow after publishing a successful release to GitHub. Based on aspect-build/rules_lint#498 and aspect-build/rules_lint#501. See `.bcr/README.md`. --- Extracting this from bazel-contrib#1722 makes that pull request more focused, and prevents holding it up based on any discussion around these workflow changes in particular. It's also unclear if the infrastructure will be in place to support these workflows before we're ready to publish the first `rules_scala` module. Though these workflows will supersede the Publish to BCR app, it may take some time to resolve slsa-framework/slsa-verifier#840. aspect-build/rules_lint#508, @alexeagle manually triggered a workflow run based on these workflows, which generated an attestation: - https://github.com/aspect-build/rules_lint/actions/runs/14095611671 - https://github.com/aspect-build/rules_lint/attestations/5857159 Here are some examples of GitHub's attestation UI in general: - https://github.com/aspect-build/rules_lint/attestations And some relevant GitHub docs: - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow - https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#secrets-context - https://docs.github.com/en/actions/sharing-automations/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_callsecrets
There are no default builder ids for verify-github-attestation. This can perhaps be made a little more generic where any builder as long as it conforms to spec and is provided via the --builder-id flag release-workflow: https://github.com/bazel-contrib/.github/.github/workflows/release_ruleset.yaml publish-workflow: https://github.com/bazel-contrib/publish-to-bcr/.github/workflows/publish.yaml Signed-off-by: Appu Goundan <appu@google.com>
loosebazooka
force-pushed
the
addbcrverify
branch
from
b73d111 to
c730634
Compare
Comment on lines
+1528
to
+1534
| name: "module.bazel using publishing builder", | ||
| artifact: "MODULE.bazel", | ||
| source: "github.com/aspect-build/rules_lint", | ||
| builderID: bcrPublisherBuilderID, | ||
| }, | ||
| { | ||
| name: "source archive using release builder", |
Contributor
There was a problem hiding this comment.
For NPM, they put their build attestation and "publish" attestation together in one .jsonl file. Does it make sense for the bazel workflow(s) to do similarly?
Contributor
Author
There was a problem hiding this comment.
No they are designed to execute separately unfortunately. I think we can revisit in the future. but that's how it is for now. These are also separates files. One ([release archive (my-module.tar.gz)) lives in the github repo and the others (MODULE.bazel, source.json) live in the bcr repository. Maybe the diagram in here shows that?
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> Signed-off-by: Appu <appu@google.com>
Co-authored-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com> Signed-off-by: Appu <appu@google.com>
Contributor
ramonpetgrave64
left a comment
ramonpetgrave64
left a comment
There was a problem hiding this comment.
Looks good. Just pending somethings we discussed in bazel slack about the workflows. But i think we can merge sooner than later, before an official release.
loosebazooka
force-pushed
the
addbcrverify
branch
from
e86a602 to
8c0a2c6
Compare
Signed-off-by: Appu Goundan <appu@google.com>
loosebazooka
force-pushed
the
addbcrverify
branch
from
8c0a2c6 to
8cd628d
Compare
fweikert
added a commit
to fweikert/bazel-central-registry
that referenced
this pull request
Apr 3, 2025
...instead of `slsa-verifier verify-artifact` since the latter cannot handle attestations created by the canonical GitHub action. NOTE: This change will only work once the latest slsa-verifier release contains slsa-framework/slsa-verifier#840. Progress towards bazelbuild#3829.
fweikert
added a commit
to fweikert/bazel-central-registry
that referenced
this pull request
Apr 3, 2025
...instead of `slsa-verifier verify-artifact` since the latter cannot handle attestations created by the canonical GitHub action. NOTE: This change will only work once the latest slsa-verifier release contains slsa-framework/slsa-verifier#840. Progress towards bazelbuild#3829.
meteorcloudy
pushed a commit
to bazelbuild/bazel-central-registry
that referenced
this pull request
Apr 4, 2025
...instead of `slsa-verifier verify-artifact` since the latter cannot handle attestations created by the canonical GitHub action. NOTE: This change will only work once the latest slsa-verifier release contains slsa-framework/slsa-verifier#840. Progress towards #3829.
fweikert
reviewed
Apr 7, 2025
|
|
||
| func (c *VerifyGithubAttestationCommand) Exec(ctx context.Context, artifact string) (*utils.TrustedBuilderID, error) { | ||
| if !options.ExperimentalEnabled() { | ||
| err := errors.New("feature support is only provided in SLSA_VERIFIER_EXPERIMENTAL mode") |
There was a problem hiding this comment.
Is this really necessary now that it's a standalone command?
Contributor
Author
There was a problem hiding this comment.
I think we should leave it for now. If we want to change the api surface or anything, I would like to do so with minimal deprecation windows.
Contributor
Author
|
@ianlewis any other thoughts here? |
bobcallaway
approved these changes
Apr 10, 2025
ramonpetgrave64
approved these changes
Apr 10, 2025
|
Thanks everyone! Do you have a planned date for the next release? |
fweikert
added a commit
to fweikert/bazel-central-registry
that referenced
this pull request
Apr 10, 2025
We need slsa-framework/slsa-verifier#840 for slsa-verifier to work, and this RC is the only version that contains it. Progress towards bazelbuild#3829
meteorcloudy
pushed a commit
to bazelbuild/bazel-central-registry
that referenced
this pull request
Apr 11, 2025
We need slsa-framework/slsa-verifier#840 for slsa-verifier to work, and this RC is the only version that contains it. Progress towards #3829
mbland
added a commit
to mbland/rules_scala
that referenced
this pull request
Apr 15, 2025
Updates `.github/workflows/release.yml` and adds `publish-to-bcr.yml` for publishing to the Bazel Central Registry. Part of bazel-contrib#1482 broken out from bazel-contrib#1722. `release.yml` now uses the `release_ruleset` workflow from `bazel-contrib/.github`, which does everything `release.yml` did previously and adds SLSA provenance attestations. `release.yml` then invokes the new `publish-to-bcr.yml` workflow after publishing a successful release to GitHub. Based on aspect-build/rules_lint#498 and aspect-build/rules_lint#501. See `.bcr/README.md`. --- Extracting this from bazel-contrib#1722 makes that pull request more focused, and prevents holding it up based on any discussion around these workflow changes in particular. It's also unclear if the infrastructure will be in place to support these workflows before we're ready to publish the first `rules_scala` module. Though these workflows will supersede the Publish to BCR app, it may take some time to resolve slsa-framework/slsa-verifier#840. aspect-build/rules_lint#508, @alexeagle manually triggered a workflow run based on these workflows, which generated an attestation: - https://github.com/aspect-build/rules_lint/actions/runs/14095611671 - https://github.com/aspect-build/rules_lint/attestations/5857159 Here are some examples of GitHub's attestation UI in general: - https://github.com/aspect-build/rules_lint/attestations And some relevant GitHub docs: - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow - https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#secrets-context - https://docs.github.com/en/actions/sharing-automations/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_callsecrets
mbland
added a commit
to mbland/rules_scala
that referenced
this pull request
Apr 21, 2025
Updates `.github/workflows/release.yml` and adds `publish-to-bcr.yml` for publishing to the Bazel Central Registry. Part of bazel-contrib#1482 broken out from bazel-contrib#1722. `release.yml` now uses the `release_ruleset` workflow from `bazel-contrib/.github`, which does everything `release.yml` did previously and adds SLSA provenance attestations. `release.yml` then invokes the new `publish-to-bcr.yml` workflow after publishing a successful release to GitHub. Based on aspect-build/rules_lint#498 and aspect-build/rules_lint#501. See `.bcr/README.md`. --- Extracting this from bazel-contrib#1722 makes that pull request more focused, and prevents holding it up based on any discussion around these workflow changes in particular. It's also unclear if the infrastructure will be in place to support these workflows before we're ready to publish the first `rules_scala` module. Though these workflows will supersede the Publish to BCR app, it may take some time to resolve slsa-framework/slsa-verifier#840. aspect-build/rules_lint#508, @alexeagle manually triggered a workflow run based on these workflows, which generated an attestation: - https://github.com/aspect-build/rules_lint/actions/runs/14095611671 - https://github.com/aspect-build/rules_lint/attestations/5857159 Here are some examples of GitHub's attestation UI in general: - https://github.com/aspect-build/rules_lint/attestations And some relevant GitHub docs: - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow - https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#secrets-context - https://docs.github.com/en/actions/sharing-automations/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_callsecrets
mbland
added a commit
to mbland/rules_scala
that referenced
this pull request
Apr 21, 2025
Updates `.github/workflows/release.yml` and adds `publish-to-bcr.yml` for publishing to the Bazel Central Registry. Part of bazel-contrib#1482 broken out from bazel-contrib#1722. `release.yml` now uses the `release_ruleset` workflow from `bazel-contrib/.github`, which does everything `release.yml` did previously and adds SLSA provenance attestations. `release.yml` then invokes the new `publish-to-bcr.yml` workflow after publishing a successful release to GitHub. Based on aspect-build/rules_lint#498 and aspect-build/rules_lint#501. See `.bcr/README.md`. --- Extracting this from bazel-contrib#1722 makes that pull request more focused, and prevents holding it up based on any discussion around these workflow changes in particular. It's also unclear if the infrastructure will be in place to support these workflows before we're ready to publish the first `rules_scala` module. Though these workflows will supersede the Publish to BCR app, it may take some time to resolve slsa-framework/slsa-verifier#840. aspect-build/rules_lint#508, @alexeagle manually triggered a workflow run based on these workflows, which generated an attestation: - https://github.com/aspect-build/rules_lint/actions/runs/14095611671 - https://github.com/aspect-build/rules_lint/attestations/5857159 Here are some examples of GitHub's attestation UI in general: - https://github.com/aspect-build/rules_lint/attestations And some relevant GitHub docs: - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow - https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#secrets-context - https://docs.github.com/en/actions/sharing-automations/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_callsecrets
mbland
added a commit
to mbland/rules_scala
that referenced
this pull request
Apr 21, 2025
Updates `.github/workflows/release.yml` and adds `publish-to-bcr.yml` for publishing to the Bazel Central Registry. Part of bazel-contrib#1482 broken out from bazel-contrib#1722. `release.yml` now uses the `release_ruleset` workflow from `bazel-contrib/.github`, which does everything `release.yml` did previously and adds SLSA provenance attestations. `release.yml` then invokes the new `publish-to-bcr.yml` workflow after publishing a successful release to GitHub. Based on aspect-build/rules_lint#498 and aspect-build/rules_lint#501. See `.bcr/README.md`. --- Extracting this from bazel-contrib#1722 makes that pull request more focused, and prevents holding it up based on any discussion around these workflow changes in particular. It's also unclear if the infrastructure will be in place to support these workflows before we're ready to publish the first `rules_scala` module. Though these workflows will supersede the Publish to BCR app, it may take some time to resolve slsa-framework/slsa-verifier#840. aspect-build/rules_lint#508, @alexeagle manually triggered a workflow run based on these workflows, which generated an attestation: - https://github.com/aspect-build/rules_lint/actions/runs/14095611671 - https://github.com/aspect-build/rules_lint/attestations/5857159 Here are some examples of GitHub's attestation UI in general: - https://github.com/aspect-build/rules_lint/attestations And some relevant GitHub docs: - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow - https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#secrets-context - https://docs.github.com/en/actions/sharing-automations/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_callsecrets
mbland
added a commit
to mbland/rules_scala
that referenced
this pull request
Apr 27, 2025
Updates `.github/workflows/release.yml` and adds `publish-to-bcr.yml` for publishing to the Bazel Central Registry. Part of bazel-contrib#1482 broken out from bazel-contrib#1722. `release.yml` now uses the `release_ruleset` workflow from `bazel-contrib/.github`, which does everything `release.yml` did previously and adds SLSA provenance attestations. `release.yml` then invokes the new `publish-to-bcr.yml` workflow after publishing a successful release to GitHub. Based on aspect-build/rules_lint#498 and aspect-build/rules_lint#501. See `.bcr/README.md`. --- Extracting this from bazel-contrib#1722 makes that pull request more focused, and prevents holding it up based on any discussion around these workflow changes in particular. It's also unclear if the infrastructure will be in place to support these workflows before we're ready to publish the first `rules_scala` module. Though these workflows will supersede the Publish to BCR app, it may take some time to resolve slsa-framework/slsa-verifier#840. aspect-build/rules_lint#508, @alexeagle manually triggered a workflow run based on these workflows, which generated an attestation: - https://github.com/aspect-build/rules_lint/actions/runs/14095611671 - https://github.com/aspect-build/rules_lint/attestations/5857159 Here are some examples of GitHub's attestation UI in general: - https://github.com/aspect-build/rules_lint/attestations And some relevant GitHub docs: - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow - https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#secrets-context - https://docs.github.com/en/actions/sharing-automations/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_callsecrets
mbland
added a commit
to mbland/rules_scala
that referenced
this pull request
Apr 27, 2025
Updates `.github/workflows/release.yml` and adds `publish-to-bcr.yml` for publishing to the Bazel Central Registry. Part of bazel-contrib#1482 broken out from bazel-contrib#1722. `release.yml` now uses the `release_ruleset` workflow from `bazel-contrib/.github`, which does everything `release.yml` did previously and adds SLSA provenance attestations. `release.yml` then invokes the new `publish-to-bcr.yml` workflow after publishing a successful release to GitHub. Based on aspect-build/rules_lint#498 and aspect-build/rules_lint#501. See `.bcr/README.md`. --- Extracting this from bazel-contrib#1722 makes that pull request more focused, and prevents holding it up based on any discussion around these workflow changes in particular. It's also unclear if the infrastructure will be in place to support these workflows before we're ready to publish the first `rules_scala` module. Though these workflows will supersede the Publish to BCR app, it may take some time to resolve slsa-framework/slsa-verifier#840. aspect-build/rules_lint#508, @alexeagle manually triggered a workflow run based on these workflows, which generated an attestation: - https://github.com/aspect-build/rules_lint/actions/runs/14095611671 - https://github.com/aspect-build/rules_lint/attestations/5857159 Here are some examples of GitHub's attestation UI in general: - https://github.com/aspect-build/rules_lint/attestations And some relevant GitHub docs: - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow - https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#secrets-context - https://docs.github.com/en/actions/sharing-automations/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_callsecrets
mbland
added a commit
to mbland/rules_scala
that referenced
this pull request
Apr 27, 2025
Updates `.github/workflows/release.yml` and adds `publish-to-bcr.yml` for publishing to the Bazel Central Registry. Part of bazel-contrib#1482 broken out from bazel-contrib#1722. `release.yml` now uses the `release_ruleset` workflow from `bazel-contrib/.github`, which does everything `release.yml` did previously and adds SLSA provenance attestations. `release.yml` then invokes the new `publish-to-bcr.yml` workflow after publishing a successful release to GitHub. Based on aspect-build/rules_lint#498 and aspect-build/rules_lint#501. See `.bcr/README.md`. --- Extracting this from bazel-contrib#1722 makes that pull request more focused, and prevents holding it up based on any discussion around these workflow changes in particular. It's also unclear if the infrastructure will be in place to support these workflows before we're ready to publish the first `rules_scala` module. Though these workflows will supersede the Publish to BCR app, it may take some time to resolve slsa-framework/slsa-verifier#840. aspect-build/rules_lint#508, @alexeagle manually triggered a workflow run based on these workflows, which generated an attestation: - https://github.com/aspect-build/rules_lint/actions/runs/14095611671 - https://github.com/aspect-build/rules_lint/attestations/5857159 Here are some examples of GitHub's attestation UI in general: - https://github.com/aspect-build/rules_lint/attestations And some relevant GitHub docs: - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow - https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#secrets-context - https://docs.github.com/en/actions/sharing-automations/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_callsecrets
mbland
added a commit
to mbland/rules_scala
that referenced
this pull request
Apr 28, 2025
Updates `.github/workflows/release.yml` and adds `publish-to-bcr.yml` for publishing to the Bazel Central Registry. Part of bazel-contrib#1482 broken out from bazel-contrib#1722. `release.yml` now uses the `release_ruleset` workflow from `bazel-contrib/.github`, which does everything `release.yml` did previously and adds SLSA provenance attestations. `release.yml` then invokes the new `publish-to-bcr.yml` workflow after publishing a successful release to GitHub. Based on aspect-build/rules_lint#498 and aspect-build/rules_lint#501. See `.bcr/README.md`. --- Extracting this from bazel-contrib#1722 makes that pull request more focused, and prevents holding it up based on any discussion around these workflow changes in particular. It's also unclear if the infrastructure will be in place to support these workflows before we're ready to publish the first `rules_scala` module. Though these workflows will supersede the Publish to BCR app, it may take some time to resolve slsa-framework/slsa-verifier#840. aspect-build/rules_lint#508, @alexeagle manually triggered a workflow run based on these workflows, which generated an attestation: - https://github.com/aspect-build/rules_lint/actions/runs/14095611671 - https://github.com/aspect-build/rules_lint/attestations/5857159 Here are some examples of GitHub's attestation UI in general: - https://github.com/aspect-build/rules_lint/attestations And some relevant GitHub docs: - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow - https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#secrets-context - https://docs.github.com/en/actions/sharing-automations/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_callsecrets
mbland
added a commit
to mbland/rules_scala
that referenced
this pull request
Apr 29, 2025
Updates `.github/workflows/release.yml` and adds `publish-to-bcr.yml` for publishing to the Bazel Central Registry. Part of bazel-contrib#1482 broken out from bazel-contrib#1722. `release.yml` now uses the `release_ruleset` workflow from `bazel-contrib/.github`, which does everything `release.yml` did previously and adds SLSA provenance attestations. `release.yml` then invokes the new `publish-to-bcr.yml` workflow after publishing a successful release to GitHub. Based on aspect-build/rules_lint#498 and aspect-build/rules_lint#501. See `.bcr/README.md`. --- Extracting this from bazel-contrib#1722 makes that pull request more focused, and prevents holding it up based on any discussion around these workflow changes in particular. It's also unclear if the infrastructure will be in place to support these workflows before we're ready to publish the first `rules_scala` module. Though these workflows will supersede the Publish to BCR app, it may take some time to resolve slsa-framework/slsa-verifier#840. aspect-build/rules_lint#508, @alexeagle manually triggered a workflow run based on these workflows, which generated an attestation: - https://github.com/aspect-build/rules_lint/actions/runs/14095611671 - https://github.com/aspect-build/rules_lint/attestations/5857159 Here are some examples of GitHub's attestation UI in general: - https://github.com/aspect-build/rules_lint/attestations And some relevant GitHub docs: - https://docs.github.com/en/actions/security-for-github-actions/security-guides/using-secrets-in-github-actions#using-secrets-in-a-workflow - https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/accessing-contextual-information-about-workflow-runs#secrets-context - https://docs.github.com/en/actions/sharing-automations/reusing-workflows#passing-inputs-and-secrets-to-a-reusable-workflow - https://docs.github.com/en/actions/writing-workflows/workflow-syntax-for-github-actions#onworkflow_callsecrets
2 tasks
filmil
pushed a commit
to filmil/bazel-central-registry
that referenced
this pull request
Jun 23, 2025
...instead of `slsa-verifier verify-artifact` since the latter cannot handle attestations created by the canonical GitHub action. NOTE: This change will only work once the latest slsa-verifier release contains slsa-framework/slsa-verifier#840. Progress towards bazelbuild#3829.
filmil
pushed a commit
to filmil/bazel-central-registry
that referenced
this pull request
Jun 23, 2025
We need slsa-framework/slsa-verifier#840 for slsa-verifier to work, and this RC is the only version that contains it. Progress towards bazelbuild#3829
ramonpetgrave64
added a commit
that referenced
this pull request
Jun 23, 2025
Followup to #840 Resolves #849 Removes the experimental flag for verifying bazel attestations. TODO: - [ ] add example invocation for bazel #858 (review) - [ ] create a new release --------- Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
@fweikert these are the changes I think might be needed to get this to work (it's somewhat hacky, I'm not sure I've fully covered what's needed).
@ramonpetgrave64 is this kinda what's needed?
This now adds the
verify-github-attestationsub command. Use this instead ofverify-artifact.