UID2-6764: enable SLSA provenance attestation#2531
Open
BehnamMozafari wants to merge 2 commits intomainfrom
Open
UID2-6764: enable SLSA provenance attestation#2531BehnamMozafari wants to merge 2 commits intomainfrom
BehnamMozafari wants to merge 2 commits intomainfrom
Conversation
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Reusable workflows take the intersection of caller and callee permissions. Adding only id-token + attestations would have stripped the contents/ packages/security-events/pull-requests writes that the existing publish implicitly inherited from the workflow default, breaking the build. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
id-token: writeandattestations: writeto the publish job(s) so the shared workflow can sign image provenance after uid2-shared-actions#228 merges and thev3float is promoted.This change is additive and harmless before the shared-actions side lands — the permissions are granted but only used once
actions/attest@v4runs fromv3.Test plan
v3is promoted, verify a real publish produces a signed attestation withgh attestation verify oci://ghcr.io/iabtechlab/<image>:<tag> --owner UnifiedID2.Linked: UID2-6764
🤖 Generated with Claude Code