Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add privacy-check action #836

Merged
merged 11 commits into from
Sep 14, 2022
Merged

Add privacy-check action #836

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
99eea1e
Add actions:read to Go builder job step
Sep 9, 2022
1d33e26
Add privacy-check action
Sep 14, 2022
13ce39d
Remove actions:read
Sep 14, 2022
553b403
Merge branch 'main' into 823-bug-slsa-goreleaser-action-fails-on-crea…
Sep 14, 2022
462fc68
Add check-dist pre-submit for privacy-check
Sep 14, 2022
54f1128
fix action name
Sep 14, 2022
a488645
Update map file
Sep 14, 2022
032ee05
Update map
Sep 14, 2022
1132b2b
Fix check-dist name
Sep 14, 2022
965a94a
Fix check-dist checks
Sep 14, 2022
86df9c1
add steps to check-dist
Sep 14, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 3 additions & 2 deletions .github/workflows/builder_go_slsa3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -231,8 +231,9 @@ jobs:
runs-on: ubuntu-latest
needs: [builder, build, build-dry, rng]
permissions:
id-token: write # Needed for keyless.
id-token: write # Needed to create an OIDC token for keyless signing.
contents: read
actions: read # Needed to read workflow info.
outputs:
go-provenance-name: ${{ steps.sign-prov.outputs.signed-provenance-name }}
go-provenance-sha256: ${{ steps.sign-prov.outputs.signed-provenance-sha256 }}
Expand Down Expand Up @@ -284,7 +285,7 @@ jobs:
###################################################################
upload-assets:
permissions:
contents: write
contents: write # Needed to write artifacts to a release.
runs-on: ubuntu-latest
needs: [build-dry, build, provenance]
if: startsWith(github.ref, 'refs/tags/') && inputs.upload-assets == true
Expand Down
10 changes: 3 additions & 7 deletions .github/workflows/generator_container_slsa3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -72,13 +72,9 @@ jobs:
runs-on: ubuntu-latest
needs: [detect-env]
permissions:
# id-token:write is needed to create an OIDC token for keyless signing.
id-token: write
# actions permissions are needed to read info on the workflow and
# workflow run.
actions: read
# packages:write permissions are needed to login and upload attestations.
packages: write
id-token: write # Needed to get OIDC token for keyless signing.
actions: read # Needed to read workflow info.
packages: write # Needed to login and upload attestations to ghcr.io.
steps:
- name: Generate builder
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@f9878d18f3c896502bdb5bbb96187fb787d529bb
Expand Down
8 changes: 3 additions & 5 deletions .github/workflows/generator_generic_slsa3.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -89,11 +89,9 @@ jobs:
runs-on: ubuntu-latest
needs: [detect-env]
permissions:
id-token: write # Needed for keyless.
id-token: write # Needed to create an OIDC token for keyless signing.
contents: read
# actions permissions are needed to read info on the workflow and
# workflow run.
actions: read
actions: read # Needed to read workflow info.
steps:
- name: Generate builder
uses: slsa-framework/slsa-github-generator/.github/actions/generate-builder@f9878d18f3c896502bdb5bbb96187fb787d529bb
Expand Down Expand Up @@ -153,7 +151,7 @@ jobs:
runs-on: ubuntu-latest
needs: [generator]
permissions:
contents: write
contents: write # Needed to write artifacts to a release.
if: startsWith(github.ref, 'refs/tags/') && inputs.upload-assets == true
steps:
- name: Download the provenance
Expand Down