Context
Release artefacts are cosign-signed (keyless) with a *.sigstore.json bundle per file, which earns 8/10 on OpenSSF Scorecard's Signed-Releases check. The remaining 2 points require a SLSA provenance file (*.intoto.jsonl) present in each release's assets. Scorecard detects it by filename only, averaged over the recent releases.
Problem
release.yaml runs actions/attest-build-provenance, which stores the attestation in GitHub's attestation store / sigstore — not as a release asset. Scorecard only inspects release assets by filename, so the attestation is invisible to it and the check caps at 8/10.
Proposed solution
Produce a real SLSA provenance file and attach it to the (draft) release:
- Add a
slsa-framework/slsa-github-generator (generator_generic_slsa3.yml) job that takes the base64 sha256 of the release binaries (we already compute checksums.txt) and emits a signed *.intoto.jsonl.
- Attach that file to the draft release alongside the
.sigstore.json bundles (add it to the Create GitHub Release files: list) so it is present before publish.
Constraints to respect
- Immutable releases: the
.intoto.jsonl must be attached to the draft before publish — assets cannot be added to a published immutable release.
- Reusable-workflow shape:
slsa-github-generator is invoked as a job-level uses:, so it must be a separate job feeding the release step.
- Keep a single release-creation / publish point.
Acceptance criteria
Notes
Context
Release artefacts are cosign-signed (keyless) with a
*.sigstore.jsonbundle per file, which earns 8/10 on OpenSSF Scorecard'sSigned-Releasescheck. The remaining 2 points require a SLSA provenance file (*.intoto.jsonl) present in each release's assets. Scorecard detects it by filename only, averaged over the recent releases.Problem
release.yamlrunsactions/attest-build-provenance, which stores the attestation in GitHub's attestation store / sigstore — not as a release asset. Scorecard only inspects release assets by filename, so the attestation is invisible to it and the check caps at 8/10.Proposed solution
Produce a real SLSA provenance file and attach it to the (draft) release:
slsa-framework/slsa-github-generator(generator_generic_slsa3.yml) job that takes the base64 sha256 of the release binaries (we already computechecksums.txt) and emits a signed*.intoto.jsonl..sigstore.jsonbundles (add it to theCreate GitHub Releasefiles:list) so it is present before publish.Constraints to respect
.intoto.jsonlmust be attached to the draft before publish — assets cannot be added to a published immutable release.slsa-github-generatoris invoked as a job-leveluses:, so it must be a separate job feeding the release step.Acceptance criteria
*.intoto.jsonlprovenance asset next to the signature bundles.slsa-verifier verify-artifact).Signed-Releasesreaches 10/10 once enough provenanced releases are in the recent window.Notes
solution-arsenalandartifact-conduit.