Currently our release workflow fails with:
Error: The action slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@v2.1.0 is not allowed in guacsec/guac because all actions must be pinned to a full-length commit SHA.
This is because we have the Require actions to be pinned to a full-length commit SHA setting enabled on this repo.
However, the SLSA generator action requires a tag instead of a hash:
At present, the GitHub Actions provided in this repository as builders and generators MUST be referenced by tag in order for the slsa-verifier to be able to verify the ref of the trusted builder/generator's reusable workflow. It also needs to be referred as @vX.Y.Z, because the build will fail if you reference it via a shorter tag like @vX.Y or @vX.
As a result, we can't generate provenance and keep this setting on. This setting reduces security risks, but since we use Kusari Inspector to catch insecure workflows more generally, we can disable this in GitHub and still catch unpinned actions.
Currently our release workflow fails with:
Error: The action slsa-framework/slsa-github-generator/.github/actions/detect-workflow-js@v2.1.0 is not allowed in guacsec/guac because all actions must be pinned to a full-length commit SHA.This is because we have the Require actions to be pinned to a full-length commit SHA setting enabled on this repo.
However, the SLSA generator action requires a tag instead of a hash:
As a result, we can't generate provenance and keep this setting on. This setting reduces security risks, but since we use Kusari Inspector to catch insecure workflows more generally, we can disable this in GitHub and still catch unpinned actions.