ci: add build attestation and license compliance workflows#42
Merged
Conversation
Add SLSA build provenance attestation to release pipeline using actions/attest-build-provenance alongside existing cosign signing. Add FOSSA license compliance workflow for GPL-2.0 compatibility checks (requires FOSSA_API_KEY secret to activate).
Add java_code output to change detection job so CodeQL analysis is skipped when only workflow/config files change (prevents false failure on empty Java database). Add API key check to FOSSA workflow so it gracefully skips when FOSSA_API_KEY secret is not configured.
Move secret check from job-level if condition (where secrets context is unreliable) to a step-level check that sets an output. Fork contributors without FOSSA_API_KEY get a clean pass instead of failure.
FOSSA test step requires a full-access API key to display issue details. With a push-only key, it reports issues but cannot show details. Set continue-on-error so the scan results are uploaded to FOSSA webapp for review without blocking CI.
tolgakaratas
force-pushed
the
ci/supply-chain-security
branch
from
7e37925 to
520f814
Compare
Remove FOSSA license-compliance workflow (requires external API, premium for policy management, no advantage over local CLI tools). Add Grype vulnerability scan to security-scan.yml with SARIF upload to GitHub Security tab. Add `make audit` (Grype, fast) and `make audit-full` (OWASP, detailed HTML report) targets for local pre-push security scanning.
Document the complete security audit workflow in CONTRIBUTING.md: - Grype as primary local scanner (make audit, ~30s) - OWASP as detailed fallback (make audit-full) - Handling findings by severity - Core principle: no external API dependency for security tooling Update Early Detection Chain to include Grype between static analysis and pre-commit hooks. Add Security section to Makefile help. Update AGENTS.md key constraints and development-guide.md.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
release.yml) usingactions/attest-build-provenance@v2.2.3, alongside existing cosign artifact signinglicense-compliance.yml) for automated GPL-2.0 compatibility checks on push/PR/weekly scheduleDetails
Build Attestation:
gh attestation verifyfor downstream usersid-token: writeandattestations: writepermissions to release jobFOSSA License Compliance:
paths-ignoreFOSSA_API_KEYsecret to activate (workflow will skip if not configured)Setup Required
To activate FOSSA scanning:
FOSSA_API_KEYto GitHub repository secretsTest plan
Related: #41 (CodeQL Phase 2 security fixes)