[discussion] Support tags other than github.ref

[ianlewis]

Some workflows release via a workflow_dispatch event (example: jib).

Several slsa-github-generator workflows support an upload-tag-name field to allow uploading provenance to a tag other than github.ref since there is no associated tag for workflow_dispatch events.

Currently the provenance does not include any info on the tag used to generate the artifact in this case so slsa-verifier cannot verify the tag using --source-tag.

Should we support something like this? How?

I think it's not possible for the generic generator since we have no control over the source and build steps themselves, however it might be possible with builder workflows.

[ianlewis]

Example test:

• GHA run: https://github.com/ianlewis/actions-test/actions/runs/4653862659
• Release w/ artifacts & provenance: https://github.com/ianlewis/actions-test/releases/tag/v99

$ slsa-verifier verify-artifact --source-tag v99 --provenance-path multiple.intoto.jsonl --source-uri github.com/ianlewis/actions-test artifact1 
Verified signature against tlog entry index 17555002 at URL: https://rekor.sigstore.dev/api/v1/log/entries/24296fb24b8ad77a538ab5c694d7c9b8653e6f866ffef63a4b8c4b4ab038a045c50d334ea8f59a18
Verifying artifact artifact1: FAILED: expected tag 'refs/tags/v99', got '': tag used to generate the binary does not match provenance

FAILED: SLSA verification failed: expected tag 'refs/tags/v99', got '': tag used to generate the binary does not match provenance

[another-rex]

+1 we are also running into this problem in osv-scanner. We create the tag during the workflow_dispatch event, and it'll be great to have the tag information in the provenance generated at the end.