-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update slsa-github-generator to v2.0.0 #2377
base: main
Are you sure you want to change the base?
Conversation
This pull request has become stale and will be closed automatically within a period of time. Sorry about that. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the PR @ramonpetgrave64! Would you update this version to use the Action's hash instead of the version tag?
update comment
@alexisabril Thanks for taking a look. Our workflow will try to detect the calling ref, and for various reasons, we need it to be referenced by version tag, not by hash. |
@ramonpetgrave64 thank you for the response and understood! However, this currently goes against our PR requirements. I'll defer to my colleagues if this is something we can change in the future, but for the moment I have to leave this as a blocked PR.
Reference: https://github.com/actions/starter-workflows/blob/main/.github/pull_request_template.md |
slsa-framework/slsa-github-generator#3576
Pre-requisites
N/A: not a new workflow
Please note that at this time we are only accepting new starter workflows for Code Scanning. Updates to existing starter workflows are fine.
Tasks
For all workflows, the workflow:
.yml
file with the language or platform as its filename, in lower, kebab-cased format (for example,docker-image.yml
). Special characters should be removed or replaced with words as appropriate (for example, "dotnet" instead of ".NET").GITHUB_TOKEN
so that the workflow runs successfully.For CI workflows, the workflow:
ci
directory.ci/properties/*.properties.json
file (for example,ci/properties/docker-publish.properties.json
).push
tobranches: [ $default-branch ]
andpull_request
tobranches: [ $default-branch ]
.release
withtypes: [ created ]
.docker-publish.yml
).For Code Scanning workflows, the workflow:
code-scanning
directory.code-scanning/properties/*.properties.json
file (for example,code-scanning/properties/codeql.properties.json
), with properties set as follows:name
: Name of the Code Scanning integration.creator
: Name of the organization/user producing the Code Scanning integration.description
: Short description of the Code Scanning integration.categories
: Array of languages supported by the Code Scanning integration.iconName
: Name of the SVG logo representing the Code Scanning integration. This SVG logo must be present in theicons
directory.push
tobranches: [ $default-branch, $protected-branches ]
andpull_request
tobranches: [ $default-branch ]
. We also recommend aschedule
trigger ofcron: $cron-weekly
(for example,codeql.yml
).Some general notes:
actions
organization, or