Skip to content

ci(release): attach SLSA provenance (.intoto.jsonl) to releases for Scorecard Signed-Releases 10/10 #673

Description

@dermorz

Context

Release artefacts are cosign-signed (keyless) with a *.sigstore.json bundle per file, which earns 8/10 on OpenSSF Scorecard's Signed-Releases check. The remaining 2 points require a SLSA provenance file (*.intoto.jsonl) present in each release's assets. Scorecard detects it by filename only, averaged over the recent releases.

Problem

release.yaml runs actions/attest-build-provenance, which stores the attestation in GitHub's attestation store / sigstore — not as a release asset. Scorecard only inspects release assets by filename, so the attestation is invisible to it and the check caps at 8/10.

Proposed solution

Produce a real SLSA provenance file and attach it to the (draft) release:

  • Add a slsa-framework/slsa-github-generator (generator_generic_slsa3.yml) job that takes the base64 sha256 of the release binaries (we already compute checksums.txt) and emits a signed *.intoto.jsonl.
  • Attach that file to the draft release alongside the .sigstore.json bundles (add it to the Create GitHub Release files: list) so it is present before publish.

Constraints to respect

  • Immutable releases: the .intoto.jsonl must be attached to the draft before publish — assets cannot be added to a published immutable release.
  • Reusable-workflow shape: slsa-github-generator is invoked as a job-level uses:, so it must be a separate job feeding the release step.
  • Keep a single release-creation / publish point.

Acceptance criteria

  • Each release carries a *.intoto.jsonl provenance asset next to the signature bundles.
  • Provenance verifies (e.g. slsa-verifier verify-artifact).
  • Scorecard Signed-Releases reaches 10/10 once enough provenanced releases are in the recent window.

Notes

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions