Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support GitHub attestation endpoint #2195

Merged
merged 4 commits into from
Jan 25, 2024
Merged

Support GitHub attestation endpoint #2195

merged 4 commits into from
Jan 25, 2024

Conversation

jhrozek
Copy link
Contributor

@jhrozek jhrozek commented Jan 24, 2024
edited
Loading

In addition to fetching provenance attestations from an OCI image, let's also
support the GitHub attestation endpoint as a fallback (a fallback since it's
not GA yet).

The attestation reply is unmarshalled into a protobuf representation and
passed to sigstore-go.

Fixes: https://github.com/stacklok/epics/issues/174

@jhrozek jhrozek requested a review from a team as a code owner January 24, 2024 20:59
@evankanderson
Copy link
Member

I think your Fixes is not right...

@jhrozek
Copy link
Contributor Author

jhrozek commented Jan 25, 2024

I think your Fixes is not right...

So we started filing the issues in the epics repo because it's private and we were not sure if we can reference the work publicly as the GH attestations program is not public. We got a green light from GH yesterday to merge the code in a public repo, but for some reason I can't seem to be able to move the issue to the minder repo. For now, I'm going to reference the full URL of the issue in the epics repo. Is there a way to move the issue or do you know what can be preventing the issue from being moved? Is it that the epics repo is private but the minder repo is public?

@jhrozek
Pass in auth method to sigstore container verification
f9599d1 
Instead of hardcoding a single token-based authentication, let's pass
a slice of authMethods the called wants to be used. The verifier will
pick an available verification method based on the authentication method
provided by the caller.

Related: stacklok/epics#174
@jhrozek
Support GitHub attestation endpoint
d1bf499 
In addition to fetching provenance attestations from an OCI image, let's also
support the GitHub attestation endpoint as a fallback (a fallback since it's
not GA yet).

The attestation reply is unmarshalled into a protobuf representation and
passed to sigstore-go.

Fixes: stacklok/epics#174
@jhrozek
Handle no auth token provided
6b6f87b 
Related: stacklok/epics#174
rdimitrov
rdimitrov approved these changes Jan 25, 2024
View reviewed changes
Copy link
Member

@rdimitrov rdimitrov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚀

JAORMX
JAORMX approved these changes Jan 25, 2024
View reviewed changes
Copy link
Contributor

@JAORMX JAORMX left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shipit 🚢

@jhrozek jhrozek merged commit 514c630 into mindersec:main Jan 25, 2024
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rdimitrov rdimitrov rdimitrov approved these changes

@JAORMX JAORMX JAORMX approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jhrozek @evankanderson @JAORMX @rdimitrov