Skip to content

[rc1-prep] Migrate release.yml to slsa-go-generator for L3 provenance #314

Description

@trilamsr

Per docs/v1-rc1-operational-gaps.md §1 SLSA L3, remediation step 1.

Current release pipeline uses generator_generic_slsa3.yml (L2-enforced on the generic path). The Go-specific generator runs the compile inside the reusable workflow's controlled environment and produces L3-marked attestation.

Work: rewire the package job in .github/workflows/release.yml around generator_go_slsa3.yml. Likely needs a wrapper module that invokes make build from the generator's prep step (OCB's per-platform submodule regen complicates direct integration).

Acceptance: gh attestation verify --predicate-type https://slsa.dev/provenance/v1 returns a predicate whose buildDefinition.buildType resolves to the Go generator's L3-marked workflow.

Effort: M (1-2 weeks).

Metadata

Metadata

Assignees

No one assigned

    Labels

    rc1-prepv1.0-rc1 preparation tasks per docs/v1-rc1-operational-gaps.md

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions