Comparability with GitHub Attestations using DSSE

[hfhbd]

I tried to upload the sigstore files to the GitHub attestation endpoint using a custom Gradle task but GitHub requires/uses dsse.

And now I am lost. What's needed to upload the sigstore to GitHub?

[loosebazooka]

Yeah, we don't generate dsse signatures. You actually need an attestation generated by a builder: https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds

It's a little difficult for the gradle process itself to upload these as the attestation is an observation of the build (the build can't observe itself). So you might have to do your build, then upload the attestation after using the gh cli or something (your own custom gradle task if you so chose).

[hfhbd]

Thanks for the answer, this is what I did using GitHub Actions:

1. Publish the files as before using maven-publish etc.
2. Collect all files that are published using Gradle
3. Write the files to GITHUB_OUTPUT file using Gradle
4. Call the actions/attest-build-provenance with the output

      - run: ./gradlew publish
      - name: Write outputs
        id: publications
        run: ./gradlew :writePublicationsToGitHubOutput
      - uses: actions/attest-build-provenance@v1
        with:
          subject-path: ${{ steps.publications.outputs.publishedFiles }}

with this code:
https://github.com/hfhbd/adventOfCode/blob/main/gradle/build-logic/src/main/kotlin/WritePublicationsToGitHubOutputFile.kt
https://github.com/hfhbd/adventOfCode/blob/main/gradle/build-logic/src/main/kotlin/setup.gradle.kts#L48
https://github.com/hfhbd/adventOfCode/blob/main/build.gradle.kts

With this approach it should be possible to upload the files using Gradle itself, if there is a Java library to create the DSSE signatures.