slsa-github-generator: [bug] Problem using SLSA3+ provenance generator for arbitrary projects

Describe the bug I am following the instructions for using generator_generic_slsa3 to generate provenances for Oak. The call to the workflow fails with the following error:

Run ./.github/actions/generate-builder/generate-builder.sh
/home/runner/work/_temp/9c89bedb-16a3-4329-be6c-a854f00c4572.sh: line 1: ./.github/actions/generate-builder/generate-builder.sh: No such file or directory
Error: Process completed with exit code 127.

The workflow is running and failing on a pull_request trigger. I know that pull_request triggers are not supported, but since this is the first time I am using this workflow, I was hoping to experiment with it before merging this PR to main. If this is the expected behaviour on pull requests, it would help to have the behaviour described in the documentation.

To Reproduce Here is the PR that uses the generator_generic_slsa3 workflow: https://github.com/project-oak/oak/pull/3166 This is the failed action: https://github.com/project-oak/oak/runs/7953028722?check_suite_focus=true. The step that fails is the “Generate builder” step.

Screenshots

Screen Shot 2022-08-22 at 14 55 49

About this issue

Original URL
State: open
Created 2 years ago
Comments: 16 (6 by maintainers)

Most upvoted comments

Let’s keep here. Dry-run option is more general than the pull_request. Thanks again for the issue

laurentsimon on Aug 27, 2022

I think having a dry-run option is fine if we document it. We should also probably put in some kind of warning in the output that the provenance is not signed.

I’m thinking:

Add dry-run option to skip signing on pull_request events
- Print a warning “Provenance is not signed in a dry run.” in this case.
Print a friendlier error message run in a pull_request without the dry-run option.

ianlewis on Aug 22, 2022

A dry-run option would be great. For the pull-request, I only care about provenance generation.

rbehjati on Aug 22, 2022