- Notifications
You must be signed in to change notification settings - Fork3.1k
Add SLSA generic generator workflow#1412
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
base:main
Are you sure you want to change the base?
Conversation
This workflow generates SLSA provenance files for projects, satisfying level 3 requirements. It includes steps for building artifacts and generating provenance subjects.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Pull Request Overview
This PR adds a GitHub Actions workflow for generating SLSA provenance files to satisfy level 3 supply chain security requirements. However, the implementation contains placeholder code that needs to be replaced with actual build logic.
Key Changes:
- Adds SLSA provenance generation workflow triggered on releases and manual dispatch
- Implements two-job workflow: build artifacts and generate provenance
- Configures permissions for signing and uploading provenance to releases
💡Add Copilot custom instructions for smarter, more guided reviews.Learn how to get started.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
| steps: | ||
| -uses:actions/checkout@v4 | ||
| # ======================================================== | ||
| # | ||
| # Step 1: Build your artifacts. | ||
| # | ||
| # ======================================================== |
CopilotAINov 16, 2025
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
The build job is missing the Go setup step required to build this Go project. Add theactions/setup-go action before building, similar to the configuration ingoreleaser.yml (withgo-version-file: "go.mod").
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
@copilot open a new pull request to apply changes based onthis feedback
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
@copilot open a new pull request to apply changes based onthis feedback
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
@copilot open a new pull request to apply changes based onthis feedback
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
@copilot open a new pull request to apply changes based onthis feedback
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
@copilot open a new pull request to apply changes based onthis feedback
Uh oh!
There was an error while loading.Please reload this page.
Uh oh!
There was an error while loading.Please reload this page.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Kelleretoro commentedNov 17, 2025
@copilot open a new pull request to apply changes based on the comments inthis thread |
This workflow generates SLSA provenance files for projects, satisfying level 3 requirements. It includes steps for building artifacts and generating provenance subjects.
Closes: