ppkarwasz opened a new pull request, #4094: URL: https://github.com/apache/logging-log4j2/pull/4094
> [!NOTE] > To work correctly this workflow requires the migration from `protected_branches` to `rulesets` in our `.asf.yaml` file. Adds `.github/workflows/generate-source-provenance.yaml`, which generates a signed provenance attestation for every commit pushed to a protected branch (`2.x`, `main`, `release/*`). The workflow uses the [`slsa_with_provenance`](https://github.com/slsa-framework/source-actions) action, which: 1. Runs `sourcetool` to verify the branch satisfies the SLSA Source policy and to collect the commit metadata. 2. Signs the resulting attestation with the GitHub Actions OIDC token via Sigstore/Fulcio, publishing the signing event to the Rekor transparency log. 3. Attaches the signed attestation to the commit via `git notes`. This satisfies [SLSA Source Level 4](https://slsa.dev/spec/v1.2/source-requirements#source-l4): attestations are cryptographically bound to the specific CI run that witnessed the commit, stored in the append-only Rekor ledger, and retrievable alongside the source tree without modifying history. Attestations can be inspected locally after fetching notes: ``` git fetch origin '+refs/notes/*:refs/notes/*' git notes show <sha> ``` or verified end-to-end with `sourcetool`: ``` sourcetool verifycommit --owner apache --repo logging-log4j2 -c <sha> ``` -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
