Skip to content

Revert package perms#1283

Merged
ianlewis merged 3 commits intoslsa-framework:mainfrom
ianlewis:revert-package-perms
Nov 29, 2022
Merged

Revert package perms#1283
ianlewis merged 3 commits intoslsa-framework:mainfrom
ianlewis:revert-package-perms

Conversation

@ianlewis
Copy link
Copy Markdown
Member

@ianlewis ianlewis commented Nov 29, 2022

Reopens #1257

Reverts most of #1258 but leaves in place top level permissions for the generic container workflow. This is because cosign seems to use the ambient token to retrieve data from the OCI registry for signing rather than using the provided registry password.

@ianlewis
Revert "Update GHA token permissions for generic container workflow (s…
e7b8af2 
…lsa-framework#1258)"

This reverts commit 38f9f24.

Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
set default top level perms
33573c3 
Signed-off-by: Ian Lewis <ianlewis@google.com>
This was referenced Nov 29, 2022
Merged
Open
@joshuagl
Copy link
Copy Markdown
Member

joshuagl commented Nov 29, 2022

This is because cosign seems to use the ambient token to retrieve data from the OCI registry for signing rather than using the provided registry password.

I was going to suggest we file an issue, but see you've already done that. Thanks!
sigstore/cosign#2489

joshuagl
joshuagl approved these changes Nov 29, 2022
View reviewed changes
Copy link
Copy Markdown
Member

@joshuagl joshuagl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ianlewis
Copy link
Copy Markdown
Member Author

ianlewis commented Nov 29, 2022

This is because cosign seems to use the ambient token to retrieve data from the OCI registry for signing rather than using the provided registry password.

I was going to suggest we file an issue, but see you've already done that. Thanks! sigstore/cosign#2489

I'm really not 100% sure what the cause is but the fact that the docker login and push actions succeed but the cosign upload of the attestation doesn't makes me think cosign is at fault.

@ianlewis ianlewis merged commit 18a7d07 into slsa-framework:main Nov 29, 2022
@laurentsimon
Copy link
Copy Markdown
Collaborator

laurentsimon commented Nov 29, 2022

Shall we wait for the cosign issue to be resolved before releasing the container workflow?

@ianlewis
Copy link
Copy Markdown
Member Author

ianlewis commented Nov 29, 2022

Shall we wait for the cosign issue to be resolved before releasing the container workflow?

I don't think it's that big of an issue that we need to hold up releasing the container workflow GA. Though we will want to fix it at some point. I'm tracking on the reopened #1257

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joshuagl joshuagl joshuagl approved these changes

@asraa asraa Awaiting requested review from asraa

@laurentsimon laurentsimon Awaiting requested review from laurentsimon

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ianlewis @joshuagl @laurentsimon