Comments (7)
A good point of comparison would be the docker actions for building and pushing images. They use buildx in their case and support building for different architectures using qemu.
https://github.com/marketplace/actions/build-and-push-docker-images
from slsa-github-generator.
Generating a provenance based off a Dockerfile is a great start. You may also want to see how the same could be done for builds using tools like ko
and buildpacks. These are both very popular alternatives to managing Dockerfiles.
from slsa-github-generator.
For sure. I think @laurentsimon shared https://github.com/laurentsimon/slsa-github-generator-ko with you on slack maybe, but the idea is we will eventually merge that workflow here as well.
Buildpacks is a good idea but I think getting provenance generation for simple Dockerfiles working is probably a higher priority for now. We're happy to take issues and contributions if folks want to take on specific workflows or features.
from slsa-github-generator.
This sounds like it can be a very useful workflow. Any progress on it? Doesn't look like it has been picked yet.
from slsa-github-generator.
This sounds like it can be a very useful workflow. Any progress on it? Doesn't look like it has been picked yet.
Here is the top-level tracking issue: project-oak/transparent-release#145
We hope to have an initial version by the end of Q4'22.
from slsa-github-generator.
Is this done?
from slsa-github-generator.
It is not. @ianlewis started it but it's not complete yet. Maybe in the meantime you could use:
- https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/docker. You create an image as a dockerfile and use that to build your artifact. See https://slsa.dev/blog/2023/06/slsa-github-worfklows-container-based
- https://github.com/slsa-framework/slsa-github-generator/tree/main/internal/builders/container build the docker image yourself and get an attestation for it
from slsa-github-generator.
Related Issues (20)
- [e2e]: generic tag main assets slsa3 HOT 1
- [e2e]: nodejs push branch1 default slsa3 HOT 1
- [e2e]: go tag main config-ldflags-assets slsa3 HOT 1
- Is it possible to rebuild attestation previously generated for a release? HOT 2
- [e2e]: nodejs push branch1 default slsa3 HOT 1
- [e2e]: maven workflow_dispatch main default slsa3 HOT 2
- [e2e]: delegator-generic release main default slsa3 HOT 1
- [e2e]: go schedule main config-ldflags-main slsa3 HOT 1
- [bug] docker generator should ouput logs as command is running
- [bug] slsa-framework/slsa-github-generator deadlocks if builder outputs a lot of data over stdio HOT 1
- [bug] Currently released docker generator deadlocks for complex builds HOT 1
- [e2e]: maven workflow_dispatch main default slsa3 HOT 1
- [e2e]: nodejs push branch1 default slsa3 HOT 1
- chore: v.2.0.0 - tracking HOT 4
- [e2e]: delegator-lowperms tag main default slsa3 HOT 1
- [e2e]: gcb tag main annotated-build slsa3 HOT 1
- [e2e]: gcb tag main annotated-build slsa3 HOT 13
- [e2e]: maven workflow_dispatch main default slsa3 HOT 1
- [e2e]: go schedule main config-noldflags slsa3 HOT 1
- [e2e]: delegator-lowperms tag main default slsa3 HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from slsa-github-generator.