Build Type: GitHub Actions

This is a SLSA Provenance buildType that describes the execution of a GitHub Actions workflow.

This build type was inspired by the GitHub Actions build type described here.

Description

"buildType": "https://docs.cimon.build/provenance/buildtypes/github/v1"

The GitHub Actions build type describes the execution of a GitHub Actions workflow that builds a software artifact.

Only the following trigger types are supported:

Supported event type	Event description
workflow_dispatch	A user manually queued the workflow.
push	CI triggered by a Git push event.
pull_request	CI triggered when a pull request is opened or updated.
tag	CI triggered when a new tag is pushed to the repository.
schedule	Starts your pipeline based on a schedule, such as a nightly build.
create	CI triggered when a branch or tag is created.
workflow_run	CI triggered when a workflow run is requested or completed.

A list of all event types can be found on the GitHub Actions documentation here.

Build Definition

External parameters All external parameters are REQUIRED unless empty.

Parameter	Type	Description
workflow	object	The workflow that was run
workflow.name	string	The name of the GitHub Actions workflow
workflow.repository	string	URI of the git repository
workflow.ref	string	A git reference to the commit
workflow.filePath	string	Path to the workflow YAML file
job	object	The job definition for the build
job.jobName	string	The name of the job
job.jobId	string	-
build	object	The specific build that generated the provenance
build.buildRun	string	The build run ID
build.buildRunAttempt	string	Number attempt for the specified build run ID
build.buildUrl	string	The full web URL for the build

Example:

"externalParameters": {
    "workflow": {
        "name": "GitHub Test Workflow",
        "repository": "https://github.com/cycodelabs/cimon",
        "ref": "refs/heads/main",
        "filePath": ".github/workflows/push.yml"
    },
    "job": {
        "jobName": "PushEvent",
        "jobId": "00000000000"
    },
    "build": {
        "buildRun": "5706737730",
        "buildRunAttempt": "1",
        "buildUrl": "https://github.com/cycodelabs/cimon/actions/runs/5706737730/attempts/1"
    }
}

Internal parameters

All internal parameters are OPTIONAL. This build type doesn't use internal parameters.

Resolved Dependencies

The resolvedDependencies SHOULD contain an entry identifying the resolved git commit ID corresponding to externalParameters.workflow. The dependency's URI MUST be in SPDX Download Location format, i.e., "git+" + workflow.uri + "@" + workflow.ref.

Example:

"resolvedDependencies": [
    {
        "uri": "git+https://github.com/cycodelabs/cimon@refs/heads/main",
        "digest": {
            "gitCommit": "bc93e6f8e6721d802678219af080a8559bc058b0"
        }
    }
]

Run Details

Builder

The builder.id MUST represent the entity that generated the provenance, as per the SLSA Provenance documentation. In the case of GitHub Actions, it should be the URL of the repository and the reference to the workflow.

Example:

"builder": {
    "id": "https://github.com/cycodelabs/cimon/.github/workflows/push.yml@refs/heads/main"
}

Metadata

The invocationId SHOULD be set to the GitHub Actions URL for the specific run and run attempt.

Example:

"metadata": {
    "invocationID": "https://github.com/cycodelabs/cimon/actions/runs/5706737730/attempts/1",
}