Skip to content

revert: "feat: produce sigstore Bundles for generic generator and go builder workflows"#3985

Merged
ramonpetgrave64 merged 1 commit intomainfrom
revert-3777-ramonpetgrave64-internal-builder-sigstore-bundlev2
Oct 25, 2024
Merged

revert: "feat: produce sigstore Bundles for generic generator and go builder workflows"#3985
ramonpetgrave64 merged 1 commit intomainfrom
revert-3777-ramonpetgrave64-internal-builder-sigstore-bundlev2

Conversation

@ramonpetgrave64
Copy link
Contributor

@ramonpetgrave64 ramonpetgrave64 commented Oct 25, 2024

Reverts #3777

Lots of new failing errors in our e2e tests today. We may have missed something when testing these changes.
For now, we should revert while we debug, and come up with more robust testing methods.

**** Verifying provenance authenticity with verifier at HEAD *****
Testing against builder args
  **** Default parameters (annotated tags) *****
WARNING: Insecure SLSA_VERIFIER_TESTING is enabled.
Verifying artifact hello: FAILED: missing signing certificate in bundle

FAILED: SLSA verification failed: missing signing certificate in bundle
✖ 1 == 0 :: not main default parameters (annotated_tags)
Error: Process completed with exit code 1.

@ramonpetgrave64 ramonpetgrave64 changed the title Revert "feat: produce sigstore Bundles for generic generator and go builder workflows" revert: "feat: produce sigstore Bundles for generic generator and go builder workflows" Oct 25, 2024
@ramonpetgrave64
Copy link
Contributor Author

ramonpetgrave64 commented Oct 25, 2024

@haydentherapper @loosebazooka

@ramonpetgrave64 ramonpetgrave64 merged commit d7aa406 into main Oct 25, 2024
@ramonpetgrave64 ramonpetgrave64 deleted the revert-3777-ramonpetgrave64-internal-builder-sigstore-bundlev2 branch January 29, 2025 20:10
@ramonpetgrave64 ramonpetgrave64 restored the revert-3777-ramonpetgrave64-internal-builder-sigstore-bundlev2 branch January 31, 2025 15:39
@ramonpetgrave64 ramonpetgrave64 mentioned this pull request Feb 11, 2025
Merged
5 tasks
ramonpetgrave64 added a commit that referenced this pull request Feb 12, 2025
@ramonpetgrave64
feat: add bundle support (#4088)
30eb5b6 
# Summary

Followup up to #3777, #3985,
slsa-framework/slsa-verifier#813

Redo: Changes the internal go code to produce Sigstore Bundles, instead
of only signed DSSE envelopes. This means that the generic generator and
go builder workflows now produce Sigstore Bundles, just like the other
BYOB-type workflows.

## Testing Process

Tested with a previous commit that contains a debug workflow
*
https://github.com/slsa-framework/slsa-github-generator/actions/runs/13271183182
*
main...internal-builder-bundle#diff-7e191d865f72ecdac3334e38bc0bd33c12349c6729a1702bc81765ecfcfb2c82
   * generates provenances with `push` events
* it uses a slightly modified version of slsa-verifier that respect
provenances generated by non-main branches.
*
slsa-framework/slsa-verifier@main...sghg-go-bundle

## Checklist

- [x] Review the contributing
[guidelines](https://github.com/slsa-framework/slsa-github-generator/blob/main/CONTRIBUTING.md)
- [x] Add a reference to related issues in the PR description.
- [x] Update documentation if applicable.
- [x] Add unit tests if applicable.
- [x] Add changes to the
[CHANGELOG](https://github.com/slsa-framework/slsa-github-generator/blob/main/CHANGELOG.md)
if applicable.

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
@ramonpetgrave64 ramonpetgrave64 deleted the revert-3777-ramonpetgrave64-internal-builder-sigstore-bundlev2 branch February 18, 2025 21:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@loosebazooka loosebazooka loosebazooka approved these changes

@laurentsimon laurentsimon Awaiting requested review from laurentsimon

@joshuagl joshuagl Awaiting requested review from joshuagl

@kpk47 kpk47 Awaiting requested review from kpk47

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ramonpetgrave64 @loosebazooka