[FEATURE] Replace SLSA attestation with enterprise-compliant actions/attest-build-provenance #100
Description
Feature Description
Replace the external slsa-framework/slsa-github-generator workflow with the enterprise-compliant actions/attest-build-provenance@v3 action to resolve enterprise policy violations while maintaining OSSF Scorecard compliance.
Current Behavior
The Application Matrix Builds workflow uses SLSA attestation from:
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]This fails with:
Error: The reusable workflow slsa-framework/slsa-github-generator/.github/workflows/[email protected]
is not allowed in microsoft/edge-ai because all reusable workflows must be from a repository owned by your enterprise.
Proposed Solution
Replace with GitHub's native attestation action:
- uses: actions/attest-build-provenance@v3
with:
subject-path: |
${{ steps.build.outputs.artifact-path }}
push-to-registry: trueBenefits
- Enterprise Compliant:
actions/*is Microsoft-owned, satisfies enterprise policy - OSSF Scorecard: Maintains 10/10 score for signed-releases check
- SLSA Level 3: Equivalent provenance attestation capability
- Native Integration: Uses GitHub's built-in artifact attestation
Implementation Details
Affected File: .github/workflows/pages-deploy.yml (line ~782)
Current:
attestation:
needs: [build]
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: ${{ needs.build.outputs.artifacts-sha256 }}Replacement:
attestation:
needs: [build]
runs-on: ubuntu-latest
permissions:
id-token: write
attestations: write
contents: read
steps:
- uses: actions/attest-build-provenance@v3
with:
subject-path: ${{ needs.build.outputs.artifact-path }}Additional Context
- Failure Count: 20+ failures in Application Matrix Builds
- Research:
.copilot-tracking/research/20260114-github-pr-linting-failures-research.md - Reference: GitHub Artifact Attestation docs