Merge pull request #145 from paulinayanez/pullreq-branch-e84c0dc9-a743-4ccc-bad3-d1abf6e864a9

puerco · web-flow · commit db45ab31f3ab · 2025-08-14T20:18:04.000-06:00
Add SLSA Source Provenance Workflow
diff --git a/.github/workflows/boilerplate.yaml b/.github/workflows/boilerplate.yaml
@@ -1,6 +1,7 @@
 # Copyright 2023 The OpenVEX Authors
 # SPDX-License-Identifier: Apache-2.0
 
+---
 name: Boilerplate
 
 on:
@@ -36,6 +37,8 @@ jobs:
     steps:
       - name: Check out code
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - uses: chainguard-dev/actions/boilerplate@main
         with:
diff --git a/.github/workflows/ci-build-test.yaml b/.github/workflows/ci-build-test.yaml
@@ -1,6 +1,7 @@
 # Copyright 2023 The OpenVEX Authors
 # SPDX-License-Identifier: Apache-2.0
 
+---
 name: ci-build-test
 
 on:
@@ -16,6 +17,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
@@ -32,6 +35,8 @@ jobs:
 
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
 
       - uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
         with:
diff --git a/.github/workflows/compute_slsa_source.yaml b/.github/workflows/compute_slsa_source.yaml
@@ -0,0 +1,20 @@
+# Copyright 2023 The OpenVEX Authors
+# SPDX-License-Identifier: Apache-2.0
+
+---
+name: SLSA Source
+on:
+  push:
+    branches: [ "main" ]
+    tags: ['**']
+permissions: {}
+
+jobs:
+  # Whenever new source is pushed recompute the slsa source information.
+  generate-provenance:
+    permissions:
+      contents: write # needed for storing the vsa in the repo.
+      id-token: write # meeded to mint yokens for signing
+    uses: slsa-framework/source-actions/.github/workflows/compute_slsa_source.yml@main
+    with:
+      allow-merge-commits: true
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -1,6 +1,7 @@
 # Copyright 2023 The OpenVEX Authors
 # SPDX-License-Identifier: Apache-2.0
 
+---
 name: Release
 
 on:
diff --git a/.github/workflows/verify.yaml b/.github/workflows/verify.yaml
@@ -1,3 +1,7 @@
+# Copyright 2023 The OpenVEX Authors
+# SPDX-License-Identifier: Apache-2.0
+
+---
 name: verify
 
 on:
