Feature Description
Migrate the application-matrix-builds.yml workflow from the SLSA-style security bundle generation to GitHub's native actions/attest-build-provenance and actions/attest actions, consistent with the approach adopted in pages-deploy.yml via #332.
Current Behavior
The application-matrix-builds.yml workflow uses a custom SLSA-style attestation approach with an enableSLSA configuration flag and a -GenerateSlsa builder argument. This approach relies on the slsa-framework/slsa-github-generator pattern that is blocked by enterprise policy and has been replaced in the documentation deployment pipeline.
Relevant references in application-matrix-builds.yml:
- SLSA security bundle generation (line 13, 23)
enableSLSA configuration parsing and output (lines 49, 87, 127, 158, 215-217, 245)-GenerateSlsa builder argument (lines 426-427)
Proposed Solution
Replace the SLSA-style attestation with the same pattern established in PR #332:
- Build provenance attestation via
actions/attest-build-provenance
- SBOM generation via
anchore/sbom-action guided by .syft.yaml
- SBOM attestation via
actions/attest
All actions should be SHA-pinned and registered in Update-ActionSHAPinning.ps1.
Acceptance Criteria
Related Issues
Additional Context
This was identified during review of PR #332 by @katriendg. The original issue #100 covers both pages-deploy.yml and the application matrix builds workflow; this issue tracks the remaining matrix builds migration as a discrete work item.
Feature Description
Migrate the
application-matrix-builds.ymlworkflow from the SLSA-style security bundle generation to GitHub's nativeactions/attest-build-provenanceandactions/attestactions, consistent with the approach adopted inpages-deploy.ymlvia #332.Current Behavior
The
application-matrix-builds.ymlworkflow uses a custom SLSA-style attestation approach with anenableSLSAconfiguration flag and a-GenerateSlsabuilder argument. This approach relies on theslsa-framework/slsa-github-generatorpattern that is blocked by enterprise policy and has been replaced in the documentation deployment pipeline.Relevant references in
application-matrix-builds.yml:enableSLSAconfiguration parsing and output (lines 49, 87, 127, 158, 215-217, 245)-GenerateSlsabuilder argument (lines 426-427)Proposed Solution
Replace the SLSA-style attestation with the same pattern established in PR #332:
actions/attest-build-provenanceanchore/sbom-actionguided by.syft.yamlactions/attestAll actions should be SHA-pinned and registered in
Update-ActionSHAPinning.ps1.Acceptance Criteria
application-matrix-builds.ymlenableSLSAconfiguration flag and-GenerateSlsabuilder argument removed or replaced with native attestation equivalentactions/attest-build-provenanceattests per-application build artifactsanchore/sbom-actiongenerates SPDX SBOM per applicationactions/attestattests the generated SBOMsattestations: writepermission present on attestation jobUpdate-ActionSHAPinning.ps1pages-deploy.ymlattestation pattern from build(build): replace SLSA attestation with actions/attest #332Related Issues
Additional Context
This was identified during review of PR #332 by @katriendg. The original issue #100 covers both
pages-deploy.ymland the application matrix builds workflow; this issue tracks the remaining matrix builds migration as a discrete work item.