GH attestation support for non-default predicate types #3793
Description
Feature Overview
Some projects publish GitHub attestations of different type than the default https://slsa.dev/provenance/v1. These are typically produced using the actions/attest action (as opposed to the "usual" actions/attest-build-provenance).
These are quite rare in comparison to the usual ones: https://github.com/search?q=%22uses%3A+actions%2Fattest%40%22+path%3A.github+language%3AYAML&type=code
Anyway, I thought I'd drop a note here, I gues aqua could support verifying them, too, as implementation would seem quite trivial.
I do not have an actual case at hand where an existing aqua registry project would benefit from this, but here's an example project (and see above search for more):
- https://github.com/pkdindustries/soulshack/attestations
- https://github.com/pkdindustries/soulshack/blob/f625a32a1dd503edc0980eb081a2eae249cab578/.github/workflows/go.yml#L91-L102
- Verifiable with:
gh attestation verify ARTIFACT --repo pkdindustries/soulshack --predicate-type https://in-toto.io/attestation/release/v0.1
Why is the feature needed?
Better support for verifying less common GH artifact attestations.
Example Code
Configuration could look like
github_artifact_attestations:
signer_workflow: ...
predicate_type: ...Note
No response