Language-agnostic SLSA provenance generation for Github Actions

  • By SLSA Framework
  • Last update: Jan 9, 2023
  • Comments: 15

Generation of SLSA3+ provenance for native GitHub projects

This repository contains tools for generating non-forgeable SLSA provenance on GitHub that meets the build and provenance requirements for SLSA level 3 and above.

Use of the provided GitHub Actions reusable workflows only is not sufficient to meet all of the requirements at SLSA level 3. Specifically, the source requirements are not covered by these workflows and must be handled explicitly to meet all requirements at SLSA level 3+.

This repository contains the code, examples and technical design for system described in the blog post on Non forgeable SLSA provenance using GitHub workflows.



Roadmap

The project roadmap is tracked via milestones. You can track progress and open issues via the milestones page. Each milestone includes a description of what is being worked on and a rough timeline for completion.

Generation of provenance

Below we describe the various builders and generators in this repository. They let you build and / or generate non-forgeable provenance using a trusted / isolated re-usable workflow. You can read up on the design in our technical design document.

Note: At present the GitHub Actions provided in this repository as builders and generators MUST be referenced by a tag that correpsonds to a semantic version of the form @vX.Y.Z. The build will fail if you reference it via a shorter tag like @vX.Y or @vX or if you reference it by a tag of a different form (e.g., @main).

Builders

Builders build and generate provenance. They let you meet the build and provenance requirements for SLSA Level 3 and above.

Builders are able to report the commands used to generate your artifact in the provenance.

This repository hosts the following builders:

  1. Go Builder SLSA Level 3. Status: available since v1.0.0. This builder builds and generates provenance for your Go projects. To use it, follow the Go builder's README.md.
  2. Container Builder SLSA Level 3. Status: WIP, expected release in Sept 2022. This builder will build your container image and generate provenance. The generated provenance will be compatible with cosign's attestation format.
  3. Dockerfile-based Builder SLSA Level 3. Status: WIP, see #23. This builder will build arbitrary artifacts using building steps defined in a Dockerfile.

If you would rather build your project yourself, use the generators instead as explained in the next section.

Provenance-only generators

Provenance-only generators let you build your artifact, and only generate provenance for you. They let you meet the provenance requirements for SLSA Level 3.

Generators create an attestation to a software artifact coming from your repository.

Generators are not able to report the commands used to generate your artifact in the provenance.

This repository hosts the following generators:

  1. Generic generator SLSA Level 3. Status: available since v1.2.0. This generator generates provenance for arbitrary artifacts of your choice. To use it, follow the Generic generator's README.md.
  2. Container generator SLSA Level 3. Status: WIP, expected release Aug-Sept 2022, see #409. This generator will generate provenance for container images. The generated provenance will be compatible with cosign's attestation format.

Verification of provenance

To verify the provenance, use the github.com/slsa-framework/slsa-verifier project.

Note: At present the GitHub Actions provided in this repository as builders and generators MUST be referenced by tag in order for the slsa-verifier to be able to verify the ref of the trusted builder/generator's reusable workflow.

This is contrary to the best practice which recommends referencing by digest, but intentional due to limits in GitHub Actions. The desire to be able to verify reusable workflows pinned by hash, and the reasons for the current status, are tracked as Issue #12 in the slsa-verifier project.

Installation

To install the verifier, see slsa-framework/slsa-verifier#installation.

Inputs

The inputs of the verifier are described in slsa-framework/slsa-verifier#available-options.

Command line examples

A command line example is provided in slsa-framework/slsa-verifier#example.

Technical design

Blog post

Find our blog post series here.

Specifications

For a more in-depth technical dive, read the SPECIFICATIONS.md.

Provenance format

The format of the provenance is available in PROVENANCE_FORMAT.md.

Development

Since this project includes reusable workflows for use on GitHub Actions local development is limited to building and testing the binaries used by the reusable workflows. The workflows themselves must be tested in your own fork.

Local commands that can be used for development are defined in the Makefile. You can list the available targets by running make.

make

Unit Tests

You can run unit tests locally using make. This requires that the Go runtime be installed.

make unit-test

Linters

This project uses several linters in order to maintain code quality. If you wish to run these linters locally, follow the instructions for each of these to install them on your development machine.

Once each of these are installed you can run the linters using make.

make lint

These linters will also run as GitHub checks for pull requests.

Download

slsa-github-generator.zip

Comments(15)

  • 1

    [e2e]: generic tag main annotated slsa3

    Repo: https://github.com/slsa-framework/example-package/tree/v13.0.101 Run: https://github.com/slsa-framework/example-package/actions/runs/3148082895 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.generic.tag.main.annotated.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.generic.tag.main.annotated.slsa3.yml Trigger: push Branch: v13.0.101 Date: Thu Sep 29 01:51:39 UTC 2022

  • 2

    [e2e]: go tag main adversarial-asset-binary slsa3

    Repo: https://github.com/slsa-framework/example-package/tree/v12.0.64 Run: https://github.com/slsa-framework/example-package/actions/runs/2661149407 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.go.tag.main.adversarial-asset-binary.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.tag.main.adversarial-asset-binary.slsa3.yml Trigger: push Branch: v12.0.64 Date: Wed Jul 13 05:17:07 UTC 2022

  • 3

    [e2e]: go tag main adversarial-asset-provenance slsa3

    Repo: https://github.com/slsa-framework/example-package/tree/v11.0.62 Run: https://github.com/slsa-framework/example-package/actions/runs/2660889601 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.go.tag.main.adversarial-asset-provenance.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.tag.main.adversarial-asset-provenance.slsa3.yml Trigger: push Branch: v11.0.62 Date: Wed Jul 13 04:01:37 UTC 2022

  • 4

    [e2e]: go workflow_dispatch main workflow_inputs slsa3

    Repo: https://github.com/slsa-framework/example-package/tree/main Run: https://github.com/slsa-framework/example-package/actions/runs/2976473622 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.go.workflow_dispatch.main.workflow_inputs.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.workflow_dispatch.main.workflow_inputs.slsa3.yml Trigger: workflow_dispatch Branch: main Date: Fri Sep 2 03:44:56 UTC 2022

  • 5

    E2E: go tag main config-ldflags-noassets slsa3

    Repo: https://github.com/slsa-framework/example-package/tree/v14.0.44 Run: https://github.com/slsa-framework/example-package/actions/runs/2540306790 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.go.tag.main.config-ldflags-noassets.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.tag.main.config-ldflags-noassets.slsa3.yml Trigger: push Branch: v14.0.44 Date: Wed Jun 22 06:33:04 UTC 2022

  • 6

    [bug] Creating and signing provenance fails because retrieving signed certificate fails.

    Describe the bug

    Creating signed provenance fails with

    ##[debug]/usr/bin/bash --noprofile --norc -e -o pipefail /home/runner/work/_temp/12f3ed8f-b71f-4b24-816e-9adc5a6a9d03.sh
    Retrieving signed certificate...
    
            Note that there may be personally identifiable information associated with this signed artifact.
            This may include the email address associated with the account with which you authenticate.
            This information will be used for signing this artifact and will be stored in public transparency logs and cannot be removed later.
    validating log entry: unable to fetch Rekor public keys from TUF repository, and not trusting the Rekor API for fetching public keys: updating local metadata and targets: error updating to TUF remote mirror: tuf: invalid key
    remote status:{
    	"mirror": "sigstore-tuf-root",
    	"metadata": {
    		"root.json": {
    			"version": 5,
    			"len": 6388,
    			"expiration": "18 Apr 23 18:13 UTC",
    			"error": ""
    		},
    		"snapshot.json": {
    			"version": 53,
    			"len": 1973,
    			"expiration": "10 Nov 22 21:10 UTC",
    			"error": ""
    		},
    		"targets.json": {
    			"version": 5,
    			"len": 4188,
    			"expiration": "18 Apr 23 18:13 UTC",
    			"error": ""
    		},
    		"timestamp.json": {
    			"version": 53,
    			"len": 719,
    			"expiration": "03 Nov 22 21:10 UTC",
    			"error": ""
    		}
    	}
    }
    Error: Process completed with exit code 1.
    ##[debug]Finishing: Create and sign provenance
    

    To Reproduce

    This happens in a private repository, based on the this job:

      provenance:
        needs: build
        # The generator should be referenced with a semantic version.
        # The build will fail if we reference it using the commit sha.
        uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
        with:
          base64-subjects: ${{ needs.build.outputs.artifacts-sha256 }}
        permissions:
          actions: read # To read the workflow path.
          id-token: write # To sign the provenance.
          contents: write # To add assets to a release.
    

    Expected behavior

    Finish successfully.

    Screenshots

    Additional context

    I’m going to be honest: I’m trying to convince people in my org to integrate SLSA into the CI and build processes, but it’s getting harder when the actions break with different issues every other week.

    I just updated to v1.2.1 and hope that’ll work.

  • 7

    Examples on using generic provenance for containers

    • [x] Example for generating provenance and storing in ghcr.io (#390)
    • [x] Examples of policy verification with Kyverno (#389)
    • [ ] Examples of policy verification with OPA (#388)
  • 8

    [e2e]: generic schedule main multi-subjects slsa3

    Repo: https://github.com/slsa-framework/example-package/tree/main Run: https://github.com/slsa-framework/example-package/actions/runs/3087641521 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml Trigger: schedule Branch: main Date: Tue Sep 20 05:36:34 UTC 2022

  • 9

    [e2e]: go schedule main config-ldflags-main slsa3

    Repo: https://github.com/slsa-framework/example-package/tree/main Run: https://github.com/slsa-framework/example-package/actions/runs/2575503422 Workflow file: https://github.com/slsa-framework/example-package/tree/main/.github/workflows/e2e.go.schedule.main.config-ldflags-main.slsa3.yml Workflow runs: https://github.com/slsa-framework/example-package/actions/workflows/e2e.go.schedule.main.config-ldflags-main.slsa3.yml Trigger: schedule Branch: main Date: Tue Jun 28 10:31:48 UTC 2022

  • 10

    [bug] ”Generate Builder“ step fails

    Describe the bug

    It looks like the Generate Builder step fails:

    Run ./.github/actions/generate-builder/generate-builder.sh
      ./.github/actions/generate-builder/generate-builder.sh
      shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
      env:
        BUILDER_BINARY: slsa-generator-generic-linux-amd64
        BUILDER_DIR: internal/builders/generic
        BUILDER_REPOSITORY: slsa-framework/slsa-github-generator
        BUILDER_RELEASE_BINARY: slsa-generator-generic-linux-amd64
        VERIFIER_REPOSITORY: slsa-framework/slsa-verifier
        VERIFIER_RELEASE_BINARY: slsa-verifier-linux-amd64
        VERIFIER_RELEASE_BINARY_SHA256: f92fc4e571949c796d7709bb3f0814a733124b0155e484fad095b5ca68b4cb21
        VERIFIER_RELEASE: v1.1.1
        COMPILE_BUILDER: false
        BUILDER_REF: refs/tags/v1.2.0
        GH_TOKEN: ***
    Fetching the builder with ref: refs/tags/v1.2.0
    Builder version: v1.2.0
    BUILDER_REPOSITORY: slsa-framework/slsa-github-generator
    verifier hash computed is f92fc4e571949c796d7709bb3f0814a733124b0155e484fad095b5ca68b4cb21
    verifier hash verification has passed
    FAILED: SLSA verification failed: could not find a matching valid signature entry
    Error: Process completed with exit code 6.
    

    when invoked as a job similar to this public example but in a private repo:

      provenance:
        needs: build
        # The generator should be referenced with a semantic version.
        # The build will fail if we reference it using the commit sha.
        uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
        with:
          base64-subjects: ${{ needs.build.outputs.artifacts-sha256 }}
        permissions:
          actions: read # To read the workflow path.
          id-token: write # To sign the provenance.
          contents: write # To add assets to a release.
    

    To Reproduce

    Restarting the failed job continues to fail. Alas, private repo.

    Expected behavior

    This has worked before and during today’s run failed.

    Screenshots

    See above.

    Additional context

  • 11

    Github Job only producing one intoto.jsonl file

    I have Github build running which is building three docker images, for each docker image I want attestation.intoto.jsonl file but I am only getting one file in Artifacts. Is it due to static name and overriding happening? if so, how can I change the file name since I am not seeing the attestaion-name var in input

    How can I produce three intoto.jsonl for three docker images in one build?

  • 12

    [cleanup] [byo] Can the slsa-token be a slsa predicate?

    Is your feature request related to a problem? Please describe. This is something I was trying to think about as I was updating https://github.com/slsa-framework/slsa-github-generator/pull/1477

    The SLSA token should contain all the inputs needed to execute the tool, and this information should be the information in the signed predicate as well.

    I was wondering if this could in effect just be a SLSA predicate. Note that the caller workflow would be signing the predicate in the setup-token action, and after the SRW verifies it, the SRW would then use this, augment with the additional context (from the reusable workflow) to sign in the output provenance.

    Right now, the predicate I have in https://github.com/slsa-framework/slsa-github-generator/pull/1477 doesn't include the build action path or the builder info (private_repository, runner, audience) though. But that is trivial to add in buildconfig.

    The reason for this is just simplifying the format for the SLSA token.

    @laurentsimon

  • 13

    Use custom WrappableError types in the docker builder

        nit: In general, I think we'd prefer to check errors based on their type rather than the error message string.
    

    See the WrappableError type https://github.com/slsa-framework/slsa-github-generator/blob/1ed3657976aadcbd9fe3aaf2117d315e0a934e97/internal/errors/wrappable.go

    some examples where it's used https://github.com/slsa-framework/slsa-github-generator/blob/1ed3657976aadcbd9fe3aaf2117d315e0a934e97/internal/builders/generic/generic.go#L59-L82

    and some tests where it's checked https://github.com/slsa-framework/slsa-github-generator/blob/1ed3657976aadcbd9fe3aaf2117d315e0a934e97/internal/builders/generic/attest_test.go#L26

    Originally posted by @ianlewis in https://github.com/slsa-framework/slsa-github-generator/pull/1388#discussion_r1063417838

  • 14

    feat: output slsa predicate based on verifier token [DO NOT REVIEW YET]

    Signed-off-by: Asra Ali [email protected]

    As a test, I've run in slsa-delegator and produced the following provenance

    {
      "builder": {
        "id": "https://github.com/laurentsimon/slsa-delegated-tool/.github/workflows/tool1_slsa3.yml@refs/heads/main"
      },
      "build_type": "https://github.com/slsa-framework/slsa-github-generator/delegator-generic@v0",
      "invocation": {
        "parameters": {
          "event_inputs": {
            "release-tag": "v1"
          }
        },
        "config_source": {
          "uri": "git+https://github.com/laurentsimon/slsa-delegate-project@refs/heads/main",
          "entry_point": ".github/workflows/release.yml",
          "digest": {
            "sha1": ""8cbf4d422367d8499d5980a837cb9cc8e1e67001""
          }
        },
        "environment": {
          "github_run_number": ""3858190098",
          "github_run_id": "3858190098",
          "github_run_attempt": "1",
          "github_event_name": "workflow_dispatch",
          "github_ref_type": "branch",
          "github_ref": "refs/heads/main",
          "github_base_ref": "",
          "github_head_ref": "",
          "github_actor": "asraa",
          "github_sha1": "8cbf4d422367d8499d5980a837cb9cc8e1e67001",
          "github_repository_owner": "laurentsimon",
          "github_repository_owner_id": "",
          "github_actor_id": "",
          "github_repository_id": "",
          "github_event_payload": {
            "inputs": {
              "release-tag": "v1"
            },
            "ref": "refs/heads/main",
            "repository": {
              "allow_forking": true,
              "archive_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/{archive_format}{/ref}",
              "archived": false,
              "assignees_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/assignees{/user}",
              "blobs_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/git/blobs{/sha}",
              "branches_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/branches{/branch}",
              "clone_url": "https://github.com/laurentsimon/slsa-delegate-project.git",
              "collaborators_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/collaborators{/collaborator}",
              "comments_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/comments{/number}",
              "commits_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/commits{/sha}",
              "compare_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/compare/{base}...{head}",
              "contents_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/contents/{+path}",
              "contributors_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/contributors",
              "created_at": "2022-[11](https://github.com/laurentsimon/slsa-delegate-project/actions/runs/3858190098/jobs/6576443658#step:3:12)-19T01:52:18Z",
              "default_branch": "main",
              "deployments_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/deployments",
              "description": null,
              "disabled": false,
              "downloads_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/downloads",
              "events_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/events",
              "fork": false,
              "forks": 1,
              "forks_count": 1,
              "forks_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/forks",
              "full_name": "laurentsimon/slsa-delegate-project",
              "git_commits_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/git/commits{/sha}",
              "git_refs_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/git/refs{/sha}",
              "git_tags_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/git/tags{/sha}",
              "git_url": "git://github.com/laurentsimon/slsa-delegate-project.git",
              "has_discussions": false,
              "has_downloads": true,
              "has_issues": true,
              "has_pages": false,
              "has_projects": true,
              "has_wiki": true,
              "homepage": null,
              "hooks_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/hooks",
              "html_url": "https://github.com/laurentsimon/slsa-delegate-project",
              "id": 567955265,
              "is_template": false,
              "issue_comment_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/issues/comments{/number}",
              "issue_events_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/issues/events{/number}",
              "issues_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/issues{/number}",
              "keys_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/keys{/key_id}",
              "labels_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/labels{/name}",
              "language": "Go",
              "languages_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/languages",
              "license": {
                "key": "apache-2.0",
                "name": "Apache License 2.0",
                "node_id": "MDc6TGljZW5zZTI=",
                "spdx_id": "Apache-2.0",
                "url": "https://api.github.com/licenses/apache-2.0"
              },
              "merges_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/merges",
              "milestones_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/milestones{/number}",
              "mirror_url": null,
              "name": "slsa-delegate-project",
              "node_id": "R_kgDOIdpPQQ",
              "notifications_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/notifications{?since,all,participating}",
              "open_issues": 0,
              "open_issues_count": 0,
              "owner": {
                "avatar_url": "https://avatars.githubusercontent.com/u/64505099?v=4",
                "events_url": "https://api.github.com/users/laurentsimon/events{/privacy}",
                "followers_url": "https://api.github.com/users/laurentsimon/followers",
                "following_url": "https://api.github.com/users/laurentsimon/following{/other_user}",
                "gists_url": "https://api.github.com/users/laurentsimon/gists{/gist_id}",
                "gravatar_id": "",
                "html_url": "https://github.com/laurentsimon",
                "id": 64505099,
                "login": "laurentsimon",
                "node_id": "MDQ6VXNlcjY0NTA1MDk5",
                "organizations_url": "https://api.github.com/users/laurentsimon/orgs",
                "received_events_url": "https://api.github.com/users/laurentsimon/received_events",
                "repos_url": "https://api.github.com/users/laurentsimon/repos",
                "site_admin": false,
                "starred_url": "https://api.github.com/users/laurentsimon/starred{/owner}{/repo}",
                "subscriptions_url": "https://api.github.com/users/laurentsimon/subscriptions",
                "type": "User",
                "url": "https://api.github.com/users/laurentsimon"
              },
              "private": false,
              "pulls_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/pulls{/number}",
              "pushed_at": "2022-11-22T02:55:04Z",
              "releases_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/releases{/id}",
              "size": 8,
              "ssh_url": "[email protected]:laurentsimon/slsa-delegate-project.git",
              "stargazers_count": 0,
              "stargazers_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/stargazers",
              "statuses_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/statuses/{sha}",
              "subscribers_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/subscribers",
              "subscription_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/subscription",
              "svn_url": "https://github.com/laurentsimon/slsa-delegate-project",
              "tags_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/tags",
              "teams_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/teams",
              "topics": [],
              "trees_url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project/git/trees{/sha}",
              "updated_at": "2022-11-22T02:20:17Z",
              "url": "https://api.github.com/repos/laurentsimon/slsa-delegate-project",
              "visibility": "public",
              "watchers": 0,
              "watchers_count": 0,
              "web_commit_signoff_required": false
            },
            "sender": {
              "avatar_url": "https://avatars.githubusercontent.com/u/5194569?v=4",
              "events_url": "https://api.github.com/users/asraa/events{/privacy}",
              "followers_url": "https://api.github.com/users/asraa/followers",
              "following_url": "https://api.github.com/users/asraa/following{/other_user}",
              "gists_url": "https://api.github.com/users/asraa/gists{/gist_id}",
              "gravatar_id": "",
              "html_url": "https://github.com/asraa",
              "id": 5194569,
              "login": "asraa",
              "node_id": "MDQ6VXNlcjUxOTQ1Njk=",
              "organizations_url": "https://api.github.com/users/asraa/orgs",
              "received_events_url": "https://api.github.com/users/asraa/received_events",
              "repos_url": "https://api.github.com/users/asraa/repos",
              "site_admin": false,
              "starred_url": "https://api.github.com/users/asraa/starred{/owner}{/repo}",
              "subscriptions_url": "https://api.github.com/users/asraa/subscriptions",
              "type": "User",
              "url": "https://api.github.com/users/asraa"
            },
            "workflow": ".github/workflows/release.yml"
          }
        }
      },
      "build_config": {
        "version": 1,
        "inputs": {
          "release-tag": "v100",
          "name1": "value1",
          "name2": "value2",
          "private-repository": true
        }
      },
      "materials": [
        {
          "uri": "git+https://github.com/laurentsimon/slsa-delegate-project@refs/heads/main",
          "digest": {
            "sha1": "8cbf4d422367d8499d5980a837cb9cc8e1e67001"
          }
        }
      ],
      "metadata": {
        "reproducible": false,
        "completeness": {
          "parameters": true,
          "environment": false,
          "materials": false
        }
      }
    }
    
  • 15

    [feature] support creating a draft release

    The Go builder and generic generator use softprops/action-gh-release to create releases. We should support setting the draft flag so that users can create draft releases.