Skip to content

Add SLSA generic generator workflow#5025

Open
Jerad551 wants to merge 1 commit intogitkraken:mainfrom
Jerad551:Jerad551-patch-1
Open

Add SLSA generic generator workflow#5025
Jerad551 wants to merge 1 commit intogitkraken:mainfrom
Jerad551:Jerad551-patch-1

Conversation

@Jerad551
Copy link

@Jerad551 Jerad551 commented Mar 7, 2026
edited
Loading

❤ Thank you for contributing to GitLens ❤

🚨 IMPORTANT 🚨

  • Please create an issue before creating a Pull Request
  • Please use the following Git commit message style
    • Use future tense ("Adds feature" not "Added feature")
    • Use a "Fixes #xxx -" or "Closes #xxx -" prefix to auto-close the issue that your PR addresses
    • Limit the first line to 72 characters or less
    • Reference issues and pull requests liberally after the first line

↑👆 DELETE above before submitting 👆↑

Description

Checklist

  • I have followed the guidelines in the Contributing document
  • My changes follow the coding style of this project
  • My changes build without any errors or warnings
  • My changes have been formatted and linted
  • My changes include any required corresponding changes to the documentation (including CHANGELOG.md and README.md)
  • My changes have been rebased and squashed to the minimal number (typically 1) of relevant commits
  • My changes have a descriptive commit message with a short title, including a Fixes $XXX - or Closes #XXX - prefix to auto-close the issue that your PR

addresses
This pull request introduces a new GitHub Actions workflow for generating SLSA provenance files, which helps improve supply chain security by providing verifiable build information. The workflow builds artifacts, computes their hashes, and integrates with the SLSA framework to generate and upload provenance data.

Supply chain security enhancements:

  • Added .github/workflows/generator-generic-ossf-slsa3-publish.yml workflow to automate SLSA provenance file generation and uploading, leveraging the OpenSSF SLSA framework for level 3 provenance requirements.
  • Included steps to build artifacts, compute their SHA256 hashes, and provide them as subjects for provenance generation, improving traceability and integrity of build outputs.

Integration with external tools:

  • Configured the workflow to use third-party actions from the SLSA framework, with appropriate permissions for signing and uploading provenance files to releases.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Jerad551