Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create attestations in a different repository #60

Open
alexrp opened this issue May 6, 2024 · 7 comments
Open

Create attestations in a different repository #60

alexrp opened this issue May 6, 2024 · 7 comments
Labels
feature-request New feature or request

Comments

@alexrp
Copy link

alexrp commented May 6, 2024

From the README:

If the repository initiating the GitHub Actions workflow is public, the public-good instance of Sigstore will be used to generate the attestation signature. If the repository is private/internal, it will use the GitHub private Sigstore instance.

I have an organization where we have repo A (public, containing all the source code) and repo B (private, containing deployment workflows, scripts, etc). When we want to trigger a release, repo B builds artifacts and uploads them to a release on repo A using a custom GITHUB_TOKEN.

In this setup, we would like to create the attestations in repo A, rather than in repo B (and so use the public-good instance). To my understanding, this is not possible right now?

@bdehamer
Copy link
Collaborator

bdehamer commented May 7, 2024

We don't have a good way to support this use case currently. The identity which is embedded in the attestation is derived from the repository associated with the workflow. This means that the repository and git commit referenced in the provenance attestation would refer to the private build repo, not the public source repo.

To leverage provenance attestations today you'd have to co-locate your source code and your build workflow in the same repository.

@alexrp
Copy link
Author

alexrp commented May 11, 2024

Could this realistically be supported in the future? Or is this fundamental to how attestation works?

@bdehamer
Copy link
Collaborator

I think that it may be possible to support something like this in the future, but will probably require that attestation support get baked-in to the GitHub Actions system as a first-class feature. In it's current form, the provenance attestation really requires that the source and the build workflow be located in the same repository.

@bdehamer bdehamer added the feature-request New feature or request label May 14, 2024
@johnbillion
Copy link

johnbillion commented Aug 12, 2024

Noting that this also affects workflows that use a reusable workflow from another repo to create the attestation. The attestation refers to the reusable workflow rather than the workflow that used it and if that exists in another repo then the attestation won't be verifiable.

Edit: This is not correct, verification can be done either with the repo name or the owner name:

  • gh attestation verify <file> --owner <owner>
  • gh attestation verify <file> --repo <owner>/<repo>
  • gh attestation verify <file> --repo <owner>/<repo> --signer-repo <owner>/<repo>

@bdehamer
Copy link
Collaborator

@johnbillion I think the use case you're describing is a bit different. We definitely support verification of attestations created with reusable workflows from different repositories. See the information about using the --signer-repo and --signer-workflow flags here.

@johnbillion
Copy link

@bdehamer Thanks!

@meyerzz
Copy link

meyerzz commented Oct 28, 2024

I think so

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
feature-request New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants
@alexrp @johnbillion @bdehamer @meyerzz and others