Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

actions/attest-build-provenance #3220

Closed
wants to merge 4 commits into from
Closed

Conversation

lectrical
Copy link
Contributor

Adding https://github.com/actions/attest-build-provenance to the ci builds so that the release assets and docker image for the next release tag generate signed build provenance attestations for workflow artifacts.

@emanuele6
Copy link
Member

It is erroring with:

Error: Failed to get ID token: Error message: Unable to get ACTIONS_ID_TOKEN_REQUEST_URL env variable

@lectrical
Copy link
Contributor Author

@emanuele6 that seems a permissions issue on the pr actions. It works in the local repo (except docker push which was working

https://github.com/lectrical/jq/actions/runs/12274537270

It's the normal error you expect if you forgot to add these https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds#generating-build-provenance-for-binaries

Perhaps it should be skipped for pr requests anyway?

@lectrical
Copy link
Contributor Author

lectrical commented Dec 12, 2024

So according to this actions/attest-build-provenance#99 the issue is expected.

I think I can maybe make it skip this on a pr originating from a fork?

@lectrical
Copy link
Contributor Author

So that worked. The step is skipped unless a tag was pushed. I think that will only happen for a new release?

.github/workflows/ci.yml Outdated Show resolved Hide resolved
Copy link
Contributor

@itchyny itchyny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think adding attestation to the artifacts can be moved to the release job. This minimizes the permission. Also, this adds attestation to the aliased artifacts like jq-linux64.

@lectrical lectrical closed this by deleting the head repository Dec 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants