{"id":34991273,"url":"https://github.com/buildkite-plugins/generate-provenance-attestation-buildkite-plugin","last_synced_at":"2026-05-21T00:34:04.370Z","repository":{"id":257498458,"uuid":"858469036","full_name":"buildkite-plugins/generate-provenance-attestation-buildkite-plugin","owner":"buildkite-plugins","description":"Buildkite plugin that generates a SLSA Provenance attestation for a build step","archived":false,"fork":false,"pushed_at":"2025-10-22T17:46:01.000Z","size":41,"stargazers_count":1,"open_issues_count":2,"forks_count":0,"subscribers_count":7,"default_branch":"main","last_synced_at":"2025-10-22T19:30:17.603Z","etag":null,"topics":["buildkite-plugin","slsa-provenance"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/buildkite-plugins.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-09-17T00:22:56.000Z","updated_at":"2025-10-22T17:46:05.000Z","dependencies_parsed_at":"2024-09-17T04:05:03.349Z","dependency_job_id":"695b67db-1dde-4bd2-9b6a-a5d05acd4645","html_url":"https://github.com/buildkite-plugins/generate-provenance-attestation-buildkite-plugin","commit_stats":null,"previous_names":["buildkite-plugins/generate-provenance-attestation-buildkite-plugin"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/buildkite-plugins/generate-provenance-attestation-buildkite-plugin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buildkite-plugins%2Fgenerate-provenance-attestation-buildkite-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buildkite-plugins%2Fgenerate-provenance-attestation-buildkite-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buildkite-plugins%2Fgenerate-provenance-attestation-buildkite-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buildkite-plugins%2Fgenerate-provenance-attestation-buildkite-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/buildkite-plugins","download_url":"https://codeload.github.com/buildkite-plugins/generate-provenance-attestation-buildkite-plugin/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/buildkite-plugins%2Fgenerate-provenance-attestation-buildkite-plugin/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33282244,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-20T15:12:43.734Z","status":"ssl_error","status_checked_at":"2026-05-20T15:12:42.300Z","response_time":356,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["buildkite-plugin","slsa-provenance"],"created_at":"2025-12-27T01:54:49.903Z","updated_at":"2026-05-21T00:34:04.362Z","avatar_url":"https://github.com/buildkite-plugins.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Generate Provenance Attestation Buildkite Plugin\n\nThis [Buildkite plugin](https://buildkite.com/docs/agent/v3/plugins) generates a SLSA Provenance attestation for artifacts that were produced in a Buildkite build step.\n\nIt runs as a [post-artifact hook](https://buildkite.com/docs/agent/v3/hooks#job-lifecycle-hooks) that generates a provenance attestation for all the relevant artifacts that were built and uploaded by the step that it is attached to.\n\nThe plugin then uploads the attestation to artifact storage for downstream usage.\n\n### Attestation format\n\nThe core of the attestation is an [in-toto Statement](https://github.com/in-toto/attestation/blob/main/spec/v1/statement.md) that attests to the build provenance of artifacts that were produced in a Buildkite build step. See [examples/statement.json](./examples/statement.json).\n\nThis statement is serialised and signed in an [in-toto Envelope](https://github.com/in-toto/attestation/blob/main/spec/v1/envelope.md) using the [DSSE v1.0](https://github.com/secure-systems-lab/dsse/blob/v1.0.0/envelope.md) format. See [examples/envelope.json](examples/envelope.json).\n\nThe [envelope](examples/envelope.json) is the resultant attestation that is uploaded to the build's artifact storage.\n\n### SLSA Build Levels\n\nThe in-toto Statement satisfies the [Provenance Exists requirement](https://slsa.dev/spec/v1.0/requirements#provenance-exists) needed for [SLSA Build Level 1](https://slsa.dev/spec/v1.0/requirements#build-levels).\n\nThe in-toto Envelope is currently signed using a hard-coded private key for demonstration purposes. This lays the groundwork for the Statement to be signed with a user-specified private key in the future, which will satisfy the [Provenance is Authentic requirement](https://slsa.dev/spec/v1.0/requirements#provenance-authentic) needed for [SLSA Build Level 2](https://slsa.dev/spec/v1.0/requirements#build-levels).\n\n## Quick Start\n\n```yaml\nsteps:\n  - label: \"Build Gem\"\n    command: \"gem build awesome-logger.gemspec\"\n    artifact_paths: \"awesome-logger-*.gem\"\n    plugins:\n      - generate-provenance-attestation#v1.1.0:\n        artifacts: \"awesome-logger-*.gem\"\n        attestation_name: \"gem-provenance-attestation.json\"\n```\n\n## Options\n\n#### `artifacts` (string, required)\n\nA glob pattern to select for artifacts that will be included in the provenance attestation.\n\n#### `attestation_name` (string, required)\n\nName to use when uploading the provenance attestation to artifact storage.\n\n## Usage\n\nIn the example below, the pipeline step builds a gem **awesome-logger-\u003cversion\u003e.gem** and uploads it to artifact storage.\n\nGenerate Provenance Attestation plugin generates a provenance attestation that incorporates the gem file (included by the `artifacts` glob), and uploads the attestation to artifact storage as `gem-provenance-attestation.json` (as specified by `attestation_name`).\n\n`gem-provenance-attestation.json` can then be persisted in later steps or published to a package registry alongside the newly built gem.\n\n```yaml\nsteps:\n  - label: \"Build Gem\"\n    key: \"build-gem\"\n    command: \"gem build awesome-logger.gemspec\"\n    artifact_paths: \"awesome-logger-*.gem\"\n    plugins:\n      - generate-provenance-attestation#v1.1.0:\n        artifacts: \"awesome-logger-*.gem\"\n        attestation_name: \"gem-provenance-attestation.json\"\n```\n\n## Development\n\nThe core of the plugin is a [Python](https://www.python.org) program [main.py](./main.py).\n\nIt accepts the following arguments:\n\n| Argument             | Description                                              |\n| -------------------- | -------------------------------------------------------- |\n| -g, --artifacts-glob | Only include artifacts that match this glob.             |\n| -o, --output         | Write provenance attestation to a file instead of STDOUT |\n\n#### Example\n\n```shell\npython3 ./main.py \\\n  --artifacts-glob \"*.gem\" \\\n  --output \"./gem-provenance-attestation.json\"\n```\n\n### Other common tasks\n\n#### Running with fake environment variables\n\nIf `FAKE_ENV` environment variable is set to `1`, the program will use a set of fake `BUILDKITE_*` environment variables and fake artifact files defined in [attestation_generator/helpers.py](./attestation_generator/helpers.py).\n\n```shell\nFAKE_ENV=1 python3 ./main.py\n```\n\n#### Check type annotations with mypy\n\n```shell\nbrew install mypy # once-off setup\n\nmypy --strict **/*.py\n```\n\n#### Run unit tests\n\n```shell\npython3 -m unittest tests/*.py\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuildkite-plugins%2Fgenerate-provenance-attestation-buildkite-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbuildkite-plugins%2Fgenerate-provenance-attestation-buildkite-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbuildkite-plugins%2Fgenerate-provenance-attestation-buildkite-plugin/lists"}