feat: Record vars in BYOB workflows #3636
Draft
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
The
vars
context is converted to JSON and passed tosetup-generic
by the TRW in the same way that theinputs
context is added. Vars are then recorded in the SLSA token. Individualvars
can be masked from the provenance as well via theslsa-masked-vars
field in the same way as inputs.verify-token
reads the vars from the SLSA token and includes them in the final provenance.Note that changes to the TRW are necessary to record the vars context.
TODO:
Updates #1555
Testing Process
Checklist