Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Blog post for slsa-github-generator generic GA #471

Merged
merged 10 commits into from
Aug 30, 2022
Merged

Blog post for slsa-github-generator generic GA #471

merged 10 commits into from
Aug 30, 2022

Conversation

ianlewis
Copy link
Member

@ianlewis ianlewis commented Aug 22, 2022
edited
Loading

Adds a blog post about the slsa-github-generator generic workflow and
it's general availability. This is a follow on to the previous blog post
on slsa-github-generator's Go functionality published on Jun 20.

Signed-off-by: Ian Lewis <ianlewis@google.com>

@netlify
Copy link

netlify bot commented Aug 22, 2022
edited
Loading

Deploy Preview for slsa ready!

Name Link
🔨 Latest commit 4a3e535
🔍 Latest deploy log https://app.netlify.com/sites/slsa/deploys/630d5135adf0080008ae3154
😎 Deploy Preview https://deploy-preview-471--slsa.netlify.app/blog/2022/08/slsa-github-workflows-generic-ga
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@ianlewis ianlewis force-pushed the slsa-github-generator-generic-ga branch from eb26d4a to a1d5bcf Compare August 22, 2022 03:21
@ianlewis
Blog post for slsa-github-generator generic GA
4ea7820 
Adds a blog post about the slsa-github-generator generic workflow and
it's general availability. This is a follow on to the previous blog post
on slsa-github-generator's Go functionality published on Jun 20.

Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis ianlewis force-pushed the slsa-github-generator-generic-ga branch from a1d5bcf to 4ea7820 Compare August 22, 2022 03:23
laurentsimon
laurentsimon approved these changes Aug 22, 2022
View reviewed changes
Copy link
Contributor

@laurentsimon laurentsimon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@inferno-chromium inferno-chromium requested a review from a team August 22, 2022 19:49
@ianlewis
Fix indentation
dd381fb 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Add urllib3 as a user
4af7465 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Clarify use of the provenance file
d7108cb 
Signed-off-by: Ian Lewis <ianlewis@google.com>
mlieberman85
mlieberman85 approved these changes Aug 22, 2022
View reviewed changes
Copy link
Member

@mlieberman85 mlieberman85 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ianlewis
Fix reference to urllib3
38449da 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Fix permissions on example
acf0853 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis
Update examples of attacks
8c6bd23 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@laurentsimon
Copy link
Contributor

@MarkLodato is OOO. Any additional feedback? @joshuagl @kimsterv?

@ianlewis
Copy link
Member Author

Also would like approval from @asraa as well as her name is in the author line.

@laurentsimon laurentsimon requested review from sethmlarson and varunsh-coder and removed request for sethmlarson and varunsh-coder August 26, 2022 14:51
@laurentsimon
Copy link
Contributor

laurentsimon commented Aug 26, 2022
edited
Loading

Thanks everyone for the thorough reviews. Any further comments before we can merge this PR?

@varunsh-coder
Copy link

Thanks everyone for the thorough reviews. Any further comments before we can merge this PR?

Do you want to mention the recent pypi phishing and related unauthorized publishing of packages in the examples? Just a suggestion. no other comments from my side.

@laurentsimon
Copy link
Contributor

Thanks everyone for the thorough reviews. Any further comments before we can merge this PR?

Do you want to mention the recent pypi phishing and related unauthorized publishing of packages in the examples? Just a suggestion. no other comments from my side.

We already have examples in the text, but we can add one more. Do you have a link in mind you think we should add?

@varunsh-coder
Copy link

Thanks everyone for the thorough reviews. Any further comments before we can merge this PR?

Do you want to mention the recent pypi phishing and related unauthorized publishing of packages in the examples? Just a suggestion. no other comments from my side.

We already have examples in the text, but we can add one more. Do you have a link in mind you think we should add?

This one https://www.bleepingcomputer.com/news/security/pypi-packages-hijacked-after-developers-fall-for-phishing-emails/? I know there are already examples, which is why this might not be needed. At the same time, this is more recent and top of mind.

@inferno-chromium inferno-chromium requested review from a team and removed request for sethmlarson August 26, 2022 15:57
@inferno-chromium
Copy link
Contributor

Thank you @mlieberman85 for your review. I think this only needs one reviewer, but leaving for any other final comments from steering committee for another day (it was shared earlier in the week).

@ianlewis
Copy link
Member Author

ianlewis commented Aug 29, 2022
edited
Loading

Thanks everyone for the thorough reviews. Any further comments before we can merge this PR?

Do you want to mention the recent pypi phishing and related unauthorized publishing of packages in the examples? Just a suggestion. no other comments from my side.

We already have examples in the text, but we can add one more. Do you have a link in mind you think we should add?

This one https://www.bleepingcomputer.com/news/security/pypi-packages-hijacked-after-developers-fall-for-phishing-emails/? I know there are already examples, which is why this might not be needed. At the same time, this is more recent and top of mind.

I thought the same thing when this came out. I left the existing examples but added a note referencing this most recent incident.

@ianlewis
Add note about PyPI
25d51b7 
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis ianlewis force-pushed the slsa-github-generator-generic-ga branch from c213b71 to 25d51b7 Compare August 29, 2022 08:33
@melba-lopez
Copy link
Contributor

Thank you @mlieberman85 for your review. I think this only needs one reviewer, but leaving for any other final comments from steering committee for another day (it was shared earlier in the week).

@inferno-chromium where was this blog draft shared? I don't believe there was a SLSA meeting last week, so trying to understand if it was in a different medium that I did not see.

@inferno-chromium
Copy link
Contributor

Thank you @mlieberman85 for your review. I think this only needs one reviewer, but leaving for any other final comments from steering committee for another day (it was shared earlier in the week).

@inferno-chromium where was this blog draft shared? I don't believe there was a SLSA meeting last week, so trying to understand if it was in a different medium that I did not see.

This was shared on both slsa and tac openssf slack and here in the repo. We haven't needed discussions in SLSA meetings before. Feel free to take a look and let us know how would like to proceed.

asraa
asraa approved these changes Aug 29, 2022
View reviewed changes
Copy link
Contributor

@asraa asraa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

docs/_posts/2022-08-29-slsa-github-workflows-generic-ga.md Outdated Show resolved Hide resolved
docs/_posts/2022-08-29-slsa-github-workflows-generic-ga.md Outdated Show resolved Hide resolved
ianlewis and others added 2 commits August 30, 2022 08:52
@ianlewis @asraa
Update docs/_posts/2022-08-29-slsa-github-workflows-generic-ga.md
3eadef3 
Co-authored-by: asraa <asraa@google.com>
Signed-off-by: Ian Lewis <ianlewis@google.com>
@ianlewis @asraa
Update docs/_posts/2022-08-29-slsa-github-workflows-generic-ga.md
4a3e535 
Co-authored-by: asraa <asraa@google.com>
Signed-off-by: Ian Lewis <ianlewis@google.com>
@inferno-chromium inferno-chromium merged commit 050fb3f into slsa-framework:main Aug 30, 2022
@melba-lopez
Copy link
Contributor

Thank you @mlieberman85 for your review. I think this only needs one reviewer, but leaving for any other final comments from steering committee for another day (it was shared earlier in the week).

@inferno-chromium where was this blog draft shared? I don't believe there was a SLSA meeting last week, so trying to understand if it was in a different medium that I did not see.

This was shared on both slsa and tac openssf slack and here in the repo. We haven't needed discussions in SLSA meetings before. Feel free to take a look and let us know how would like to proceed.

I see it now!! Thank you :) For some reason i didn't notice it (even though i posted right after it was shared)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@varunsh-coder varunsh-coder varunsh-coder left review comments

@laurentsimon laurentsimon laurentsimon approved these changes

@sethmlarson sethmlarson sethmlarson requested changes

@mlieberman85 mlieberman85 mlieberman85 approved these changes

@asraa asraa asraa approved these changes

@MarkLodato MarkLodato Awaiting requested review from MarkLodato

@joshuagl joshuagl Awaiting requested review from joshuagl

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@ianlewis @laurentsimon @varunsh-coder @inferno-chromium @melba-lopez @mlieberman85 @asraa @sethmlarson