From 8688e4fab35e1109e951716c1bda34d7a38b8760 Mon Sep 17 00:00:00 2001 From: Ben Date: Sat, 16 May 2026 22:07:12 +0000 Subject: [PATCH] hotfix slsa provenance --- .github/workflows/source-provenance.yml | 4 +++- doc/explanation/threat_model_supply_chain.rst | 2 +- doc/howto/verify-integrity.rst | 2 +- security/tm_supply_chain.py | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.github/workflows/source-provenance.yml b/.github/workflows/source-provenance.yml index c7bbfb5e..f51c1d29 100644 --- a/.github/workflows/source-provenance.yml +++ b/.github/workflows/source-provenance.yml @@ -39,7 +39,9 @@ jobs: persist-credentials: false - name: Attest source governance (SLSA Source Track) - uses: slsa-framework/slsa-source-corroborator@v0.1.0 + uses: slsa-framework/source-actions/slsa_with_provenance@v0.1.0 + with: + version: v0.6.3 attest-source: name: Generate source provenance diff --git a/doc/explanation/threat_model_supply_chain.rst b/doc/explanation/threat_model_supply_chain.rst index dad2e28d..699aa7f7 100644 --- a/doc/explanation/threat_model_supply_chain.rst +++ b/doc/explanation/threat_model_supply_chain.rst @@ -324,7 +324,7 @@ Controls - Low - Repudiation, Spoofing - DFT-31 - - Mitigates: Source Provenance Attestations are published via ``slsa-framework/slsa-source-corroborator`` on every push to ``main``. These attestations prove the specific source-level governance controls applied on each commit: branch protection, mandatory code review, and ancestry enforcement (C-038). Predicate type ``https://slsa.dev/source_provenance/v1`` is signed by GitHub Actions via Sigstore and stored in the GitHub Attestation registry. Consumers can verify using ``gh attestation verify`` with ``--predicate-type https://slsa.dev/source_provenance/v1`` and ``--cert-identity`` pinned to ``source-provenance.yml@refs/heads/main``. ``.github/workflows/source-provenance.yml`` + - Mitigates: Source Provenance Attestations are published via ``slsa-framework/source-actions/slsa_with_provenance`` on every push to ``main``. These attestations prove the specific source-level governance controls applied on each commit: branch protection, mandatory code review, and ancestry enforcement (C-038). Predicate type ``https://slsa.dev/source_provenance/v1`` is signed by GitHub Actions via Sigstore and stored in the GitHub Attestation registry. Consumers can verify using ``gh attestation verify`` with ``--predicate-type https://slsa.dev/source_provenance/v1`` and ``--cert-identity`` pinned to ``source-provenance.yml@refs/heads/main``. ``.github/workflows/source-provenance.yml`` * - C-038 - Ancestry enforcement on dfetch main branch - Low diff --git a/doc/howto/verify-integrity.rst b/doc/howto/verify-integrity.rst index c159681e..9579896b 100644 --- a/doc/howto/verify-integrity.rst +++ b/doc/howto/verify-integrity.rst @@ -211,7 +211,7 @@ any binary was produced): Every commit merged to ``main`` has a Source Provenance Attestation proving that branch protection, mandatory code review, and ancestry enforcement were in place when the commit landed. These attestations are published by -``slsa-framework/slsa-source-corroborator`` and stored in the +``slsa-framework/source-actions/slsa_with_provenance`` and stored in the `attestation registry `_. Replace ```` with the 40-character commit SHA you want to verify: diff --git a/security/tm_supply_chain.py b/security/tm_supply_chain.py index 7ea7a9ba..f99e3bc8 100644 --- a/security/tm_supply_chain.py +++ b/security/tm_supply_chain.py @@ -670,7 +670,7 @@ def build_model() -> TM: ), description=( "Source Provenance Attestations are published via " - "``slsa-framework/slsa-source-corroborator`` on every push to ``main``. " + "``slsa-framework/source-actions/slsa_with_provenance`` on every push to ``main``. " "These attestations prove the specific source-level governance controls " "applied on each commit: branch protection, mandatory code review, and " "ancestry enforcement (C-038). "