Skip to content

source-tool isn't a PoC anymore #325

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Oct 30, 2025
Merged

source-tool isn't a PoC anymore #325

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion GETTING_STARTED.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,7 @@ will be enabled through a regular pull request.
#### 2. Download sourcetool

Download the `sourcetool` binary for your local architecture from the [GitHub
releases page](https://github.com/slsa-framework/slsa-source-poc/releases/latest).
releases page](https://github.com/slsa-framework/source-tool/releases/latest).

## Authorize Sourcetool to Access your Repositories

Expand Down
26 changes: 10 additions & 16 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
# slsa-source-poc
# source tool

A proof-of-concept for how the SLSA Source Track could be implemented.

The code in this repository should not be relied upon for production purposes.
A tool that helps users implement the SLSA Source Track.

Status: in development

Expand All @@ -13,18 +11,14 @@ this tool meets the SLSA Source Requirements.

[DESIGN.md](docs/DESIGN.md) explains more specifically how the system works.

## Components

[compute_slsa_source.yml](.github/workflows/compute_slsa_source.yml) is a reusable workflow that
is calculates a SLSA source level and produces 'source provenance' and a 'verification summary'
for the revision (commit) that was just pushed.

[local_attest.yml](.github/workflows/local_attest.yml) is a local workflow that invokes compute_slsa_source.yml.
[GETTING_STARTED.md](GETTING_STARTED.md) explains how to get started using the tool.

[slsa_with_provenance](actions/slsa_with_provenance/action.yml) is a GitHub Action that does most
of the work.
## Related repositories

[get_note](actions/get_note/action.yml) is a GitHub Action that gets a git note from a commit.
[source-actions](https://github.com/slsa-framework/source-actions) the GitHub Actions
used with source-tool to implement SLSA Source Track requirements within GitHub
projects.

[store_note](actions/store_note/action.yml) is a GitHub Action that stores a git note for
a commit.
[source-policies](https://github.com/slsa-framework/source-policies) stores each GitHub
project's 'policy' which details the SLSA Source Level and other controls implemented
by that repository.
Loading