Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert package perms #1283

Merged
merged 3 commits into from
Nov 29, 2022
Merged

Revert package perms #1283

merged 3 commits into from
Nov 29, 2022

Conversation

ianlewis
Copy link
Member

Reopens #1257

Reverts most of #1258 but leaves in place top level permissions for the generic container workflow. This is because cosign seems to use the ambient token to retrieve data from the OCI registry for signing rather than using the provided registry password.

@ianlewis
Revert "Update GHA token permissions for generic container workflow (s…
e7b8af2 
…lsa-framework#1258)"

This reverts commit 38f9f24.

Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
set default top level perms
33573c3 
Signed-off-by: Ian Lewis <ianlewis@google.com>
This was referenced Nov 29, 2022
Merged
Open
@joshuagl
Copy link
Member

This is because cosign seems to use the ambient token to retrieve data from the OCI registry for signing rather than using the provided registry password.

I was going to suggest we file an issue, but see you've already done that. Thanks!
sigstore/cosign#2489

joshuagl
joshuagl approved these changes Nov 29, 2022
View reviewed changes
Copy link
Member

@joshuagl joshuagl left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ianlewis
Copy link
Member Author

This is because cosign seems to use the ambient token to retrieve data from the OCI registry for signing rather than using the provided registry password.

I was going to suggest we file an issue, but see you've already done that. Thanks! sigstore/cosign#2489

I'm really not 100% sure what the cause is but the fact that the docker login and push actions succeed but the cosign upload of the attestation doesn't makes me think cosign is at fault.

@ianlewis ianlewis merged commit 18a7d07 into slsa-framework:main Nov 29, 2022
@laurentsimon
Copy link
Collaborator

Shall we wait for the cosign issue to be resolved before releasing the container workflow?

@ianlewis
Copy link
Member Author

Shall we wait for the cosign issue to be resolved before releasing the container workflow?

I don't think it's that big of an issue that we need to hold up releasing the container workflow GA. Though we will want to fix it at some point. I'm tracking on the reopened #1257

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@joshuagl joshuagl joshuagl approved these changes

@asraa asraa Awaiting requested review from asraa

@laurentsimon laurentsimon Awaiting requested review from laurentsimon laurentsimon is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ianlewis @joshuagl @laurentsimon