Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[discussion] Revisit inputs. #1200

Open
ianlewis opened this issue Nov 4, 2022 · 1 comment
Open

[discussion] Revisit inputs. #1200

ianlewis opened this issue Nov 4, 2022 · 1 comment
Labels
type:discussion A point of discussion
Milestone
Support for SLSA ...

Comments

@ianlewis
Copy link
Member

ianlewis commented Nov 4, 2022

Given the language in slsa-framework/slsa#525 we should revisit the parameters that we set in generated SLSA provenance.

According to the newer language, parameters should be any inputs that are sent over the trust boundary. The PR describes them as "independent" and "external" to the builder. In that light, all of the inputs given to the reusable workflows should be recorded in parameters and likely we should record config file inputs as well.
@ianlewis ianlewis added the type:discussion A point of discussion label Nov 4, 2022
@ianlewis
Copy link
Member Author

ianlewis commented Nov 4, 2022

How we record config files might need some thought. Perhaps just recording the relative path to the file is ok since the repo and digest is recorded in the invocation?

@ianlewis ianlewis added this to the Support for SLSA v1.0 milestone Nov 4, 2022
@ianlewis ianlewis mentioned this issue Jun 2, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type:discussion A point of discussion
Projects
None yet
Milestone
Support for SLSA v1.0
Development

No branches or pull requests
1 participant
@ianlewis