Description
For workflows that allow user input upon invocation, such as via the workflow_dispatch event, the provenance should include the user-supplied inputs in the externalParameters section. We could also consider the event type as an externalParameter.
example workflow_dispatch provenance
SLSA's Provenance Spec has some guidance about the externalParameters, with some ambiguity about whether they are required for Level 2 or for Level 3. This could be a typo, because Level 3's emphasis can be summarized as isolation between the builder and signer environments.
https://slsa.dev/spec/v1.0/provenance#model
externalParameters: the external interface to the build. In SLSA, these values are untrusted; they MUST be included in the provenance and MUST be verified downstream.
https://slsa.dev/spec/v1.0/provenance#builddefinition
The parameters that are under external control, such as those set by a user or tenant of the build platform. They MUST be complete at SLSA Build L3, meaning that that there is no additional mechanism for an external party to influence the build. (At lower SLSA Build levels, the completeness MAY be best effort.)
I understand that, for now, Github's attestation Action intends to be at Level 2, but it's worth including this for users that do happen to use workflow inputs as actual build parameters.
... Artifact attestations provides SLSA v1.0 Build Level 2.