Create go-ossf-slsa3-publish.yml #768
Open
+38
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: JohnDaWalka <201526231+JohnDaWalka@users.noreply.github.com>
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a new GitHub Actions workflow to enhance supply chain security by implementing SLSA3-compliant building for Go projects. The workflow generates provenance files that document the build process, following OpenSSF standards.
- Adds a new GitHub Actions workflow for SLSA3-compliant Go builds
- Configures automatic triggers on releases and manual workflow dispatch
- Sets up proper permissions for signing and uploading release assets
|
|
||
| jobs: | ||
| # ======================================================================================================================================== | ||
| # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. |
There was a problem hiding this comment.
There's a spelling error: 'Prerequesite' should be 'Prerequisite'.
Suggested change
| # Prerequesite: Create a .slsa-goreleaser.yml in the root directory of your project. | |
| # Prerequisite: Create a .slsa-goreleaser.yml in the root directory of your project. |
Copilot uses AI. Check for mistakes.
| actions: read # To read workflow path. | ||
| uses: slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml@v1.4.0 | ||
| with: | ||
| go-version: 1.17 |
There was a problem hiding this comment.
Go version 1.17 is quite old (released in 2021). Consider using a more recent version like 1.21 or 1.22 for better security, performance, and language features.
Suggested change
| go-version: 1.17 | |
| go-version: 1.22 |
Copilot uses AI. Check for mistakes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces a new GitHub Actions workflow for building Go projects using a SLSA3-compliant builder. The workflow is designed to enhance supply chain security by generating a provenance file that describes the steps taken to produce the final binary.
New GitHub Actions Workflow:
.github/workflows/go-ossf-slsa3-publish.yml: Added a workflow named "SLSA Go releaser" to compile Go projects with a SLSA3-compliant builder. This includes generating a provenance file for enhanced supply chain security, leveraging the OpenSSF initiative. The workflow uses theslsa-framework/slsa-github-generatorand supports Go version 1.17.<!--Thank you for contributing to GitHub MCP Server!
Please reference an existing issue:
Closes #NUMBERScreenshots or videos of changed behavior is incredibly helpful and always appreciated.
Consider addressing the following:
-->
Closes: