Stream: git-wasmtime

Topic: wasmtime / issue #9698 Consider integrating build provena...


view this post on Zulip Wasmtime GitHub notifications bot (Dec 01 2024 at 15:43):

tschneidereit opened issue #9698:

Feature

GitHub provides an action for creation build provenance attestation for Actions-built artifacts, which we could integrate into our pipeline with, I think, low effort.

Benefit

Build provenance attestation would provide consumers with verifiable guarantees of the artifacts' provenance.

Implementation

Based on the Action's description, implementation seems fairly straight-forward and should involve not much besides following the steps documented there.

Alternatives

There might be alternative forms of attestation. This one has the advantage of being officially suppported by GitHub, and showing up in the project's attestations tab.

view this post on Zulip Wasmtime GitHub notifications bot (Dec 04 2024 at 20:31):

alexcrichton closed issue #9698:

Feature

GitHub provides an action for creation build provenance attestation for Actions-built artifacts, which we could integrate into our pipeline with, I think, low effort.

Benefit

Build provenance attestation would provide consumers with verifiable guarantees of the artifacts' provenance.

Implementation

Based on the Action's description, implementation seems fairly straight-forward and should involve not much besides following the steps documented there.

Alternatives

There might be alternative forms of attestation. This one has the advantage of being officially suppported by GitHub, and showing up in the project's attestations tab.

view this post on Zulip Wasmtime GitHub notifications bot (Dec 04 2024 at 20:31):

alexcrichton commented on issue #9698:

Well we have attestations now as they're rolling in for the artifacts produced for the dev tag. I downloaded a random one and ran:

$ ./gh_2.63.1_linux_amd64/bin/gh attestation verify --owner bytecodealliance ./wasmtime-dev-riscv64gc-linux.tar.xz
Loaded digest sha256:525d1ac2051ce2c903b6697c7875f85f27f1696e24993494b6d6506e8777d7be for file://wasmtime-dev-riscv64gc-linux.tar.xz
Loaded 1 attestation from GitHub API
 Verification succeeded!

sha256:525d1ac2051ce2c903b6697c7875f85f27f1696e24993494b6d6506e8777d7be was attested by:
REPO                       PREDICATE_TYPE                  WORKFLOW
bytecodealliance/wasmtime  https://slsa.dev/provenance/v1  .github/workflows/publish-artifacts.yml@refs/heads/main

so it looks like... at least something is working!


Last updated: Dec 23 2024 at 12:05 UTC