You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If the repository initiating the GitHub Actions workflow is public, the public-good instance of Sigstore will be used to generate the attestation signature. If the repository is private/internal, it will use the GitHub private Sigstore instance.
I have an organization where we have repo A (public, containing all the source code) and repo B (private, containing deployment workflows, scripts, etc). When we want to trigger a release, repo B builds artifacts and uploads them to a release on repo A using a custom GITHUB_TOKEN.
In this setup, we would like to create the attestations in repo A, rather than in repo B (and so use the public-good instance). To my understanding, this is not possible right now?
The text was updated successfully, but these errors were encountered:
We don't have a good way to support this use case currently. The identity which is embedded in the attestation is derived from the repository associated with the workflow. This means that the repository and git commit referenced in the provenance attestation would refer to the private build repo, not the public source repo.
To leverage provenance attestations today you'd have to co-locate your source code and your build workflow in the same repository.
I think that it may be possible to support something like this in the future, but will probably require that attestation support get baked-in to the GitHub Actions system as a first-class feature. In it's current form, the provenance attestation really requires that the source and the build workflow be located in the same repository.
From the README:
I have an organization where we have repo A (public, containing all the source code) and repo B (private, containing deployment workflows, scripts, etc). When we want to trigger a release, repo B builds artifacts and uploads them to a release on repo A using a custom
GITHUB_TOKEN
.In this setup, we would like to create the attestations in repo A, rather than in repo B (and so use the public-good instance). To my understanding, this is not possible right now?
The text was updated successfully, but these errors were encountered: