Create generator-generic-ossf-slsa3-publish.yml

[teguhsy]

Purpose / Abstract

• Closes #AAA

Summary by CodeRabbit

• New Features
  • Introduced a workflow to generate SLSA level 3 provenance files, enhancing software supply chain security.

[coderabbitai]

Walkthrough

This update introduces a new GitHub workflow aimed at generating Software Bill of Materials (SBOM) provenance files, aligning with the OpenSSF's SLSA level 3 requirements. It focuses on building artifacts and creating provenance subjects with sha256 checksums, alongside enabling external verification of these provenance files. This enhancement is a step forward in bolstering the security of the software supply chain.

Changes

File Path	Change Summary
.github/workflows/.../slsa3-publish.yml	Introduced workflow for SLSA level 3 SBOM provenance generation and verification.

🐇✨
In the realm of code, under digital skies,
A new workflow blooms, security-wise.
With SLSA's might, it stands tall,
Guarding the chain, protecting us all.
🌟📦🔐

• CodeRabbit

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

---

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit-tests for this file.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit tests for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit tests.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger a review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• The JSON schema for the configuration file is available here.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/coderabbit-overrides.v2.json

CodeRabbit Discord Community

Join our Discord Community to get help, request features, and share feedback.

[teguhsy]

nice

[coderabbitai]

Review Status

Actionable comments generated: 1

Configuration used: CodeRabbit UI

Commits

Files that changed from the base of the PR and between 2c241ed and 58a8805.

Files selected for processing (1)

• .github/workflows/generator-generic-ossf-slsa3-publish.yml (1 hunks)

Additional comments: 5

.github/workflows/generator-generic-ossf-slsa3-publish.yml (5)

• 1-11: The header comments provide a clear overview of the workflow's purpose, its alignment with OpenSSF initiatives, and the tools used for generating and verifying SLSA provenance files. It's good practice to include such comprehensive documentation at the beginning of a workflow file for clarity and transparency.
• 13-17: The workflow is triggered manually (workflow_dispatch) and automatically on the creation of a release (release: types: [created]). This setup ensures flexibility in generating SLSA provenance files either on-demand or as part of the release process. It's a well-thought-out approach to trigger the workflow under these specific conditions.
• 25-37: The steps for building artifacts are clearly defined, with a placeholder for the actual build commands. This section is crucial for generating the artifacts that will be referenced in the provenance file. Ensure that the placeholder commands (echo "artifact1" > artifact1, echo "artifact2" > artifact2) are replaced with the actual build commands relevant to the project.

Ensure that the build commands are correctly replaced with project-specific build steps.

• 47-55: The step for generating the provenance subjects uses sha256sum to hash the artifacts and then encodes the output in base64. This is a critical step for generating the provenance file. However, ensure that the base64 -w0 command is compatible with the environment where the workflow runs. The -w0 option is used to disable line wrapping in the output, which is important for generating a consistent hash. However, this option might not be available or behave differently on non-GNU systems.

Verify the compatibility of base64 -w0 in the GitHub Actions runner environment.

• 57-66: The provenance job correctly specifies its dependency on the build job and sets the necessary permissions for reading the workflow path, signing the provenance, and adding assets to a release. It uses the slsa-framework/slsa-github-generator action to generate the SLSA provenance file, passing the base64-encoded subjects from the build job. This setup is well-configured for generating and optionally uploading the provenance file to a new release. It's a good practice to explicitly define permissions for each job to adhere to the principle of least privilege.

[coderabbitai]

The build job is configured to run on ubuntu-latest. While this is a common practice, consider specifying a fixed version of Ubuntu (e.g., ubuntu-20.04) to ensure the workflow's stability over time. Using ubuntu-latest might lead to unexpected behavior if GitHub changes the underlying version.

- runs-on: ubuntu-latest
+ runs-on: ubuntu-20.04

---

Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation.

Suggested change

	jobs:
	build:
	runs-on: ubuntu-latest
	outputs:
	digests: ${{ steps.hash.outputs.digests }}
	jobs:
	build:
	runs-on: ubuntu-20.04
	outputs:
	digests: ${{ steps.hash.outputs.digests }}