Build Type: GitHub Actions
This is a SLSA Provenance
buildType that describes the execution of a GitHub Actions workflow.
This build type was inspired by the GitHub Actions build type described here.
The GitHub Actions build type describes the execution of a GitHub Actions workflow that builds a software artifact.
Only the following trigger types are supported:
|Supported event type||Event description|
|workflow_dispatch||A user manually queued the workflow.|
|push||CI triggered by a Git push event.|
|pull_request||CI triggered when a pull request is opened or updated.|
|tag||CI triggered when a new tag is pushed to the repository.|
|schedule||Starts your pipeline based on a schedule, such as a nightly build.|
|create||CI triggered when a branch or tag is created.|
|workflow_run||CI triggered when a workflow run is requested or completed.|
A list of all event types can be found on the GitHub Actions documentation here.
External parameters All external parameters are REQUIRED unless empty.
|workflow||object||The workflow that was run|
|workflow.name||string||The name of the GitHub Actions workflow|
|workflow.repository||string||URI of the git repository|
|workflow.ref||string||A git reference to the commit|
|workflow.filePath||string||Path to the workflow YAML file|
|job||object||The job definition for the build|
|job.jobName||string||The name of the job|
|build||object||The specific build that generated the provenance|
|build.buildRun||string||The build run ID|
|build.buildRunAttempt||string||Number attempt for the specified build run ID|
|build.buildUrl||string||The full web URL for the build|
"name": "GitHub Test Workflow",
All internal parameters are OPTIONAL. This build type doesn't use internal parameters.
The resolvedDependencies SHOULD contain an entry identifying the resolved git commit ID corresponding to
externalParameters.workflow. The dependency's URI MUST be in SPDX Download Location format, i.e., "git+" + workflow.uri + "@" + workflow.ref.
builder.id MUST represent the entity that generated the provenance, as per the SLSA Provenance documentation. In the case of GitHub Actions, it should be the URL of the repository and the reference to the workflow.
invocationId SHOULD be set to the GitHub Actions URL for the specific run and run attempt.