Integration of Attest Build Provenance GitHub Action in CI/CD Piepline #1078
Description
I want to suggest a new step
-
Which tool is this about? Where is its repository?
- Tool: Attest Build Provenance GitHub Action
- Repository: Attest Build Provenance
-
Which operating systems are supported by this tool?
- This tool supports Linux operating systems as it runs within GitHub Actions, which typically uses Ubuntu for its runners.
-
What should Topgrade do to figure out if the tool needs to be invoked?
- Topgrade should check if there are any new commits or changes in the repository that need to be attested for provenance.
-
Which exact commands should Topgrade run?
- Topgrade should add a step in the GitHub Actions workflow file similar to the following:
name: Attest Build Provenance uses: actions/attest-build-provenance@v2.2.3
- Topgrade should add a step in the GitHub Actions workflow file similar to the following:
- name: Attest Build Provenance
-
Does it have a
--dry-runoption? i.e., print what should be done and exit- The GitHub Action itself does not have a
--dry-runoption, but you can simulate its behavior by using GitHub Actions'workflow_dispatchevent to manually trigger the workflow and inspect the logs.
- The GitHub Action itself does not have a
-
Does it need the user to confirm the execution? And does it provide a
--yesoption to skip this step?- No, the GitHub Action does not require user confirmation and runs automatically as part of the GitHub Actions workflow.
I want to suggest some general feature
Topgrade should integrate the Attest Build Provenance GitHub Action into its CI/CD pipeline to ensure that all builds have verified provenance, enhancing the security and integrity of the build process.
More information
To test this feature, create a new side branch in the Topgrade repository and set up a GitHub Actions workflow file with the Attest Build Provenance step. Push some changes or manually trigger the workflow to verify that the build provenance is correctly attested.