GCB: Does source pinning matter? #309
Labels
Comments
ianlewis
added
area:gcb
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As noted in #300
When GCB is used without a GitHub repository trigger, than it automatically pulls source into a GCS bucket for build:
gs://PROJECT_cloudbuild/sourceCurrently, v1.4.1 of slsa-verifier still expects and requires a source match, and users would have to pass the source bucket in.
In #300, I allow users to match on a bucket like
--source-uri gs://slsa-tooling_cloudbuild/sourcein the same way we allow source pinning without commit.On the other hand, our SLSA tool has no distinction between leveling. Versions source is a fairly low level requirement, and GCB builds do not satisfy that. If we start to distinguish between requirements of different builders, than we also probably want a way to specify what level the builder is achieving.
The text was updated successfully, but these errors were encountered: