Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for pull_request #358

Open
ianlewis opened this issue Jun 20, 2022 · 5 comments
Open

Support for pull_request #358

ianlewis opened this issue Jun 20, 2022 · 5 comments
Labels
status:help wanted Extra attention is needed type:feature New feature or request

Comments

@ianlewis
Copy link
Member

This is a tracking issue for supporting pull_request events. Please comment regarding your use case.
@ianlewis ianlewis added the type:feature New feature or request label Jun 20, 2022
@ianlewis ianlewis mentioned this issue Jun 20, 2022
Open
@ianlewis ianlewis added the status:help wanted Extra attention is needed label Jun 20, 2022
@ianlewis ianlewis mentioned this issue Jun 23, 2022
Closed
@rbehjati rbehjati mentioned this issue Aug 26, 2022
Open
@asraa
Copy link
Collaborator

asraa commented Oct 8, 2022

Another use-case: is to test the configuration.

For example, I didn't realize that env vars are case-sensitive and ran into this problem

env variable empty or not set: {{ .Env.Version }}

because I had been using VERSION in my evaluted-envs.

See slsa-framework/slsa-verifier#298

@ianlewis ianlewis mentioned this issue Nov 21, 2022
Closed
@ianlewis ianlewis mentioned this issue Jan 13, 2023
Closed
@ianlewis ianlewis mentioned this issue Jun 14, 2023
Open
@ianlewis
Copy link
Member Author

The OpenZepplin folks mentioned that they would like support for pull requests
OpenZeppelin/defender-client#277

@asraa
Copy link
Collaborator

asraa commented Jul 18, 2023

Is there anything stopping delegator from PR events? I believe it should be able to output unsigned attestations if htere's a guard on the sign-attestations step.

@ianlewis
Copy link
Member Author

Right. I think signing is the biggest thing though there are some other subtle differences as well. I think we had issues with which git sha we pick up when generating the provenance? I can't exactly remember but I think detect-workflow-js already supports it:

slsa-github-generator/.github/actions/detect-workflow-js/src/detect.ts

Line 84 in 942ce40

(workflowData.event === "pull_request" ||

@johnandersen777
Copy link

johnandersen777 commented Sep 8, 2023
edited
Loading

It would be nice to have id-token scoped to reflect it being issued within the context of a pull request so that artifacts generated during pull request runs such as OCI images could be uploaded to appropriately access controlled registries.

johnandersen777 pushed a commit to johnandersen777/scitt-api-emulator that referenced this issue Sep 12, 2023
@pdxjohnny
Example CI job for GitHub Actions OIDC authenticated notary
e7d7057 
Token is not available within pull_request context.

Related: slsa-framework/slsa-github-generator#131
Related: slsa-framework/slsa-github-generator#358
Signed-off-by: John Andersen <[email protected]>
johnandersen777 pushed a commit to johnandersen777/scitt-api-emulator that referenced this issue Sep 12, 2023
@pdxjohnny
Example CI job for GitHub Actions OIDC authenticated notary
d73b102 
Token is not available within pull_request context.

Related: slsa-framework/slsa-github-generator#131
Related: slsa-framework/slsa-github-generator#358
Signed-off-by: John Andersen <[email protected]>
johnandersen777 pushed a commit to johnandersen777/scitt-api-emulator that referenced this issue Sep 12, 2023
@pdxjohnny
Example CI job for GitHub Actions OIDC authenticated notary
7b38ee1 
Token is not available within pull_request context.

Related: slsa-framework/slsa-github-generator#131
Related: slsa-framework/slsa-github-generator#358
Signed-off-by: John Andersen <[email protected]>
johnandersen777 pushed a commit to johnandersen777/scitt-api-emulator that referenced this issue Sep 12, 2023
@pdxjohnny
Example CI job for GitHub Actions OIDC authenticated notary
975efb0 
Token is not available within pull_request context.

Related: slsa-framework/slsa-github-generator#131
Related: slsa-framework/slsa-github-generator#358
Signed-off-by: John Andersen <[email protected]>
johnandersen777 pushed a commit to johnandersen777/scitt-api-emulator that referenced this issue Sep 12, 2023
@pdxjohnny
Example CI job for GitHub Actions OIDC authenticated notary
10c9351 
Token is not available within pull_request context.

Related: slsa-framework/slsa-github-generator#131
Related: slsa-framework/slsa-github-generator#358
Signed-off-by: John Andersen <[email protected]>
johnandersen777 pushed a commit to johnandersen777/scitt-api-emulator that referenced this issue Sep 12, 2023
@pdxjohnny
Example CI job for GitHub Actions OIDC authenticated notary
d96ad28 
Token is not available within pull_request context.

Related: slsa-framework/slsa-github-generator#131
Related: slsa-framework/slsa-github-generator#358
Signed-off-by: John Andersen <[email protected]>
@johnandersen777 johnandersen777 mentioned this issue Oct 1, 2023
Open
SteveLasker pushed a commit to scitt-community/scitt-api-emulator that referenced this issue Oct 18, 2023
@pdxjohnny
OIDC auth middleware with GitHub Actions example workflow (#31)
a30c818 
* Add plugin helper entrypoint_style_load() to assist with loading auth middleware
* Add server CLI arg for Flask middleware loaded via entrypoint style load plugin helper
* OIDC auth middleware plugin
* Refactor test Service expose url with bound port to Flask app
* In preperation for use by flask test app used as OIDC endpoints
* Tests for OIDC based auth middleware
* Update pip, setuptools, wheel to avoid deprecation warning on dependency install.
* Example CI job for GitHub Actions OIDC authenticated notary
* Token is not available within pull_request context.
* Document OIDC authentication middleware usage with GitHub Actions
* Validation of OIDC claims via JSON schema validator

Related: slsa-framework/slsa-github-generator#131
Related: slsa-framework/slsa-github-generator#358
Related: actions/runner#2417 (comment)

Signed-off-by: John Andersen <[email protected]>
johnandersen777 pushed a commit to johnandersen777/scitt-api-emulator that referenced this issue Nov 23, 2023
@pdxjohnny
OIDC auth middleware with GitHub Actions example workflow (scitt-comm…
dc3b341 
…unity#31)

* Add plugin helper entrypoint_style_load() to assist with loading auth middleware
* Add server CLI arg for Flask middleware loaded via entrypoint style load plugin helper
* OIDC auth middleware plugin
* Refactor test Service expose url with bound port to Flask app
* In preperation for use by flask test app used as OIDC endpoints
* Tests for OIDC based auth middleware
* Update pip, setuptools, wheel to avoid deprecation warning on dependency install.
* Example CI job for GitHub Actions OIDC authenticated notary
* Token is not available within pull_request context.
* Document OIDC authentication middleware usage with GitHub Actions
* Validation of OIDC claims via JSON schema validator

Related: slsa-framework/slsa-github-generator#131
Related: slsa-framework/slsa-github-generator#358
Related: actions/runner#2417 (comment)

Signed-off-by: John Andersen <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
status:help wanted Extra attention is needed type:feature New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@ianlewis @asraa @johnandersen777