Merged
Conversation
We'll create a comprehensive **SLSA Setup Guide** HTML page based on slsa.dev documentation. This guide walks you through implementing SLSA for your projects, with a focus on Level 3 and the `generator-generic-ossf-slsa3-publish.yml` workflow.
```html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Setting up SLSA · Practical guide from slsa.dev</title>
<style>
* {
margin: 0;
padding: 0;
box-sizing: border-box;
}
body {
font-family: 'Inter', -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif;
background: #eef2f5;
color: #1c3c50;
line-height: 1.6;
padding: 2rem 1rem;
}
.page {
max-width: 1100px;
margin: 0 auto;
background: white;
border-radius: 2.5rem;
box-shadow: 0 30px 50px -20px rgba(0,40,60,0.3);
padding: 2.8rem;
}
h1 {
font-size: 2.8rem;
font-weight: 650;
background: linear-gradient(145deg, #0a4e6b, #1c6f94);
-webkit-background-clip: text;
-webkit-text-fill-color: transparent;
background-clip: text;
margin-bottom: 0.5rem;
}
.byline {
font-size: 1.2rem;
color: #2d6a8c;
border-left: 5px solid #2d9cdb;
padding-left: 1.2rem;
margin-bottom: 2.5rem;
}
h2 {
font-size: 2rem;
font-weight: 550;
color: #0e4c6b;
margin: 2.2rem 0 1rem;
border-bottom: 2px solid #c1ddec;
padding-bottom: 0.3rem;
}
h3 {
font-size: 1.5rem;
font-weight: 500;
color: #1c6582;
margin: 1.8rem 0 0.8rem;
}
p {
margin-bottom: 1.2rem;
color: #255e7a;
}
a {
color: #1c6f94;
text-decoration: none;
font-weight: 500;
border-bottom: 1px dotted #96c0da;
}
a:hover {
color: #0d4057;
border-bottom: 2px solid #0d4057;
}
.steps {
list-style: none;
counter-reset: step-counter;
margin: 2rem 0;
}
.steps li {
counter-increment: step-counter;
margin-bottom: 1.8rem;
padding-left: 3rem;
position: relative;
font-size: 1.1rem;
}
.steps li::before {
content: counter(step-counter);
background: #1e6f9f;
color: white;
font-weight: bold;
width: 2.2rem;
height: 2.2rem;
border-radius: 50%;
display: inline-flex;
align-items: center;
justify-content: center;
position: absolute;
left: 0;
top: -0.1rem;
font-size: 1.2rem;
}
code, pre {
font-family: 'Fira Code', 'Cascadia Code', monospace;
background: #1e2f3c;
color: #deecf9;
border-radius: 14px;
}
code {
padding: 0.2rem 0.5rem;
font-size: 0.9rem;
}
pre {
padding: 1.5rem;
overflow-x: auto;
line-height: 1.5;
margin: 1.5rem 0;
box-shadow: inset 0 0 12px #0f232f;
}
.card {
background: #f2faff;
border-radius: 24px;
padding: 1.8rem;
margin: 2rem 0;
border: 1px solid #b9d9f0;
}
.grid-2 {
display: grid;
grid-template-columns: 1fr 1fr;
gap: 1.8rem;
margin: 2rem 0;
}
.pill {
background: #1b4d66;
color: white;
padding: 0.3rem 1rem;
border-radius: 40px;
font-size: 0.8rem;
font-weight: 600;
letter-spacing: 0.4px;
display: inline-block;
}
.resource-list {
display: flex;
flex-wrap: wrap;
gap: 1rem;
margin: 2rem 0;
}
.resource-list a {
background: #e2f0fa;
padding: 0.8rem 1.5rem;
border-radius: 40px;
border: 1px solid #b3d1e8;
transition: 0.1s;
}
.resource-list a:hover {
background: #cbe5fd;
border-color: #5f9dc7;
}
.alert {
background: #fffbeb;
border-left: 8px solid #f3b33d;
padding: 1.5rem 2rem;
border-radius: 18px;
margin: 2rem 0;
}
hr {
border: none;
border-top: 2px dashed #c5dae9;
margin: 2.5rem 0;
}
footer {
margin-top: 3rem;
font-size: 0.9rem;
text-align: center;
color: #557e99;
}
</style>
</head>
<body>
<div class="page">
<h1>🔧 Setting up SLSA</h1>
<div class="byline">A practical guide based on <a href="https://slsa.dev" target="_blank">slsa.dev</a> documentation — achieve trusted software supply chains.</div>
<p>SLSA (Supply‑chain Levels for Software Artifacts) helps you incrementally improve the integrity of your build and distribution process. This guide walks you through the steps to set up SLSA for your project, from generating simple provenance to reaching Level 3 hardened builds.</p>
<!-- quick links to slsa.dev resources -->
<div class="resource-list">
<a href="https://slsa.dev/get-started" target="_blank">🚀 Get started</a>
<a href="https://slsa.dev/spec/v1.0/levels" target="_blank">📊 SLSA levels</a>
<a href="https://slsa.dev/provenance/v1" target="_blank">📦 Provenance format</a>
<a href="https://slsa.dev/verification-summary" target="_blank">✅ Verification</a>
<a href="https://slsa.dev/threat-model" target="_blank">⚠️ Threat model</a>
</div>
<h2>📌 Prerequisites</h2>
<ul style="margin-left:1.8rem;">
<li>A source repository (GitHub, GitLab, etc.)</li>
<li>A CI/CD system that supports hosted runners (GitHub Actions, GitLab CI, etc.)</li>
<li>Basic familiarity with YAML workflows</li>
<li>(Optional) A container registry or artifact repository to store signed provenance</li>
</ul>
<h2>🎯 Step‑by‑step to SLSA Level 3</h2>
<p>Follow these steps, each building on the previous one. The goal is to produce <strong>non‑forgeable provenance</strong> that consumers can verify.</p>
<ol class="steps">
<li><strong>Generate provenance (Level 1)</strong> – Create a simple provenance file describing your build. Use tools like <code>slsa‑generator</code> or write your own.</li>
<li><strong>Use a hosted build platform (Level 2)</strong> – Move builds to a trusted platform (e.g., GitHub Actions, GitLab CI) and sign the provenance.</li>
<li><strong>Harden the build (Level 3)</strong> – Ensure the build runs in an ephemeral, isolated environment and that signing keys are inaccessible to the build steps.</li>
</ol>
<div class="card">
<h3 style="margin-top:0;">🔁 Reusable workflow: generator-generic-ossf-slsa3-publish.yml</h3>
<p>For GitHub users, the <a href="https://github.com/slsa-framework/slsa-github-generator" target="_blank">SLSA GitHub Generator</a> provides a ready‑to‑use workflow that meets Level 3. Here’s how to call it in your repository:</p>
<pre># .github/workflows/release.yml
name: Release with SLSA provenance
on:
release:
types: [published]
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: make my-artifact # your build command
- uses: actions/upload-artifact@v4
with:
name: my-artifact
path: path/to/artifact
provenance:
needs: build
uses: slsa-framework/slsa-github-generator/.github/workflows/generator-generic-ossf-slsa3-publish.yml@v1.7.0
with:
artifact-path: path/to/artifact
provenance-name: provenance.intoto.jsonl
permissions:
id-token: write
contents: read
actions: read # needed to read the artifact from the build job</pre>
<p>That’s it! The workflow will generate, sign, and upload provenance alongside your artifact.</p>
</div>
<h2>🔐 Hardening details for Level 3</h2>
<p>According to <a href="https://slsa.dev/spec/v1.0/levels" target="_blank">slsa.dev/spec/v1.0/levels</a>, to achieve Level 3 you must:</p>
<div style="display: grid; grid-template-columns: repeat(2,1fr); gap:1rem; margin:1.5rem 0;">
<div style="background:#f6fbfe; padding:1rem; border-radius:16px;">✅ <strong>Isolated</strong> – build runs in ephemeral environment (fresh VM/container).</div>
<div style="background:#f6fbfe; padding:1rem; border-radius:16px;">✅ <strong>Parameterless</strong> – build steps cannot access signing secrets.</div>
<div style="background:#f6fbfe; padding:1rem; border-radius:16px;">✅ <strong>Non‑forgeable</strong> – provenance signed by the build platform.</div>
<div style="background:#f6fbfe; padding:1rem; border-radius:16px;">✅ <strong>Scripted</strong> – build definition fully in code.</div>
</div>
<p>The GitHub reusable workflow above already satisfies these when used with GitHub‑hosted runners. For other platforms, consult the <a href="#platform-table">platform comparison below</a>.</p>
<h2 id="platform-table">🧩 Platform‑specific setups</h2>
<table style="width:100%; border-collapse:collapse; margin:1.5rem 0;">
<thead><tr style="background:#1c5777; color:white;"><th>Platform</th><th>How to achieve Level 3</th><th>Verification command</th></tr></thead>
<tbody>
<tr style="border-bottom:1px solid #c5d5e5;"><td><strong>GitHub Actions</strong></td><td>Use <code>slsa-framework/slsa-github-generator</code> reusable workflow</td><td><code>gh attestation verify --signer-workflow ...</code></td></tr>
<tr style="border-bottom:1px solid #c5d5e5;"><td><strong>GitLab CI</strong> (proposed)</td><td>Use trusted control plane; signing in backend (design stage)</td><td><em>planned</em></td></tr>
<tr style="border-bottom:1px solid #c5d5e5;"><td><strong>kpack / Tanzu</strong></td><td>Isolated k8s pods + <code>cosign</code> keys attached to service account</td><td><code>cosign verify-attestation --key <pubkey></code></td></tr>
<tr style="border-bottom:1px solid #c5d5e5;"><td><strong>Harness SCS</strong></td><td>SLSA Generation step with ephemeral infra</td><td>Harness built‑in verification</td></tr>
<tr style="border-bottom:1px solid #c5d5e5;"><td><strong>Chainguard</strong></td><td>MicroVM isolation + managed Sigstore (Sigstack)</td><td><code>cosign</code> / <code>slsa-verifier</code></td></tr>
</tbody>
</table>
<h2>✅ Verifying SLSA provenance</h2>
<p>Once you have provenance, consumers can verify it. Common tools:</p>
<ul style="margin-bottom:2rem;">
<li><strong>slsa-verifier</strong> – <code>slsa-verifier verify-artifact --provenance-path provenance.intoto.jsonl --source-uri github.com/<owner>/<repo></code></li>
<li><strong>cosign</strong> – <code>cosign verify-attestation --type slsaprovenance --key <key> <image></code></li>
<li><strong>GitHub CLI</strong> – <code>gh attestation verify <artifact> --signer-workflow <workflow></code></li>
</ul>
<!-- alert about the incomplete link -->
<div class="alert">
<strong>🔗 Note on “generator-generic-ossf-slsa3-publish.yml#L”:</strong> The fragment <code>#L</code> indicates a GitHub permalink to a specific line. A full URL would be like <code>https://github.com/<owner>/<repo>/blob/<branch>/.github/workflows/generator-generic-ossf-slsa3-publish.yml#L42</code>. Replace with your repository and line number.
</div>
<hr>
<h2>📖 Further reading from slsa.dev</h2>
<div class="resource-list">
<a href="https://slsa.dev/provenance" target="_blank">Provenance schema</a>
<a href="https://slsa.dev/attestation-model" target="_blank">Attestation model</a>
<a href="https://slsa.dev/faq" target="_blank">FAQ</a>
<a href="https://slsa.dev/blog" target="_blank">Blog</a>
<a href="https://slsa.dev/resources#presentations" target="_blank">Presentations</a>
<a href="https://slsa.dev/software" target="_blank">Software & tools</a>
</div>
<p>For a complete list, visit <a href="https://slsa.dev" target="_blank">slsa.dev</a> directly.</p>
<!-- footer with script-free assurance -->
<footer>
⚡ This page uses only HTML and CSS — no JavaScript. All links open in new tabs.<br>
<span style="opacity:0.7;">Last updated: March 2026 – based on SLSA v1.0 and v1.1 documentation.</span>
</footer>
</div>
</body>
</html>
```
### What this page includes:
- A clear **step‑by‑step guide** to implementing SLSA, from prerequisites to verification.
- A **practical example** using the `generator-generic-ossf-slsa3-publish.yml` workflow (the file you referenced) with copy‑paste‑ready code.
- A **platform comparison table** for Level 3 on different CI systems.
- **Verification commands** for common tools.
- An **alert box** explaining the incomplete `#L` GitHub link syntax.
- **Embedded links** to all major `slsa.dev` resources, organized in a resource bar.
- Pure HTML/CSS, no JavaScript, as requested.
Save the code as an `.html` file and open it in any browser. All links are set to open in a new tab for convenience.
Sazwanismail
added this to the
https://github.com/Sazwanismail/codespaces-react/issues/5 milestone
Sazwanismail
added
documentation
Sazwanismail
added
Black setting
|
CodeAnt AI is reviewing your PR. Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
This was
linked to
issues
Mar 11, 2026
Closed
Closed
Closed
Closed
This was
linked to
issues
Mar 11, 2026
Closed
github-project-automation
bot
moved this to Done
in @Sazwanismail's untitled project support
codeant-ai
bot
removed
size:XXL
Sequence DiagramThis PR adds documentation for a reusable GitHub Actions workflow that builds an artifact, then generates and uploads SLSA Level 3 provenance for it using the SLSA GitHub Generator. sequenceDiagram
participant CallerWorkflow
participant GitHubActions
participant BuildJob
participant ProvenanceJob
participant SLSAGenerator
participant ArtifactStorage
CallerWorkflow->>GitHubActions: Invoke SLSA3 publish workflow with artifact path
GitHubActions->>BuildJob: Run build job to create artifact
BuildJob->>ArtifactStorage: Upload built artifact for provenance
GitHubActions->>ProvenanceJob: Start provenance job after build
ProvenanceJob->>ArtifactStorage: Download built artifact
ProvenanceJob->>SLSAGenerator: Generate SLSA Level 3 provenance
SLSAGenerator->>ArtifactStorage: Upload provenance file as artifact
Generated by CodeAnt AI |
codeant-ai
bot
added
size:XXL
|
CodeAnt AI finished reviewing your PR. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
We'll create a comprehensive SLSA Setup Guide HTML page based on slsa.dev documentation. This guide walks you through implementing SLSA for your projects, with a focus on Level 3 and the
generator-generic-ossf-slsa3-publish.ymlworkflow.What this page includes:
generator-generic-ossf-slsa3-publish.ymlworkflow (the file you referenced) with copy‑paste‑ready code.#LGitHub link syntax.slsa.devresources, organized in a resource bar.Save the code as an
.htmlfile and open it in any browser. All links are set to open in a new tab for convenience.CodeAnt-AI Description
Add a comprehensive SLSA Level 3 reference, workflow content, and script-free HTML guides
What Changed
#Lexplanation).Impact
✅ Clearer SLSA Level 3 setup guidance✅ Easier workflow referencing with permalink examples✅ Immediate access to verification command examples and resource links💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.