Skip to content

[feature] Proposal: Update provenance generators to SLSA Provenance v1.0 #4450

New issue
New issue
Open
Open
[feature] Proposal: Update provenance generators to SLSA Provenance v1.0#4450
Labels
status:triageIssue that has not been triagedtype:featureNew feature or request
@1xor3us

Description

@1xor3us
1xor3us
opened on Nov 11, 2025

Summary

Hi

I've been using the slsa-github-generator in one of my GitHub Actions projects and noticed that it’s still based on the SLSA Provenance v0.2 schema.

I’ve updated my fork to use SLSA Provenance v1.0, starting with the container workflows (to fit my project needs), and it’s working correctly with verified attestations published to Rekor.

Before opening a PR, I’d like to ask:

  • Would you be open to migrating all provenance generators (container, Go, generic, etc.) to SLSA v1.0?
  • Or would you prefer incremental updates?

If you prefer, I can keep the current v0.2 generator untouched and add the v1 version alongside it, so both remain available.

What I’ve done so far

  • Updated the container workflow to generate SLSA Provenance v1.0 attestations
  • Adjusted attestation fields (buildType, subject, builder, etc.) to match the new schema
  • Verified that the resulting attestations are valid and verifiable via Rekor and cosign

Example of a working attestation

You can see an example of a valid v1 attestation generated with my fork in this project:

  • Repository: 1xor3us/gke-allow-runner-action
  • Release: v1.7.0
  • Attestation: available on Rekor under serial
    6a0524531a3a860123d0ec6e9690d4fab7e10267d32c96181825a502329852f7
    (also verifiable via cosign)

The attestation corresponds to a successful build of the image defined in
.github/workflows/release.yml, which was signed using my updated SLSA v1 workflow.

Motivation

SLSA Provenance v1.0 is now the stable, finalized schema.
Migrating the generators would help projects stay up to date with the latest SLSA specification and avoid using legacy v0.2 definitions.

I’m happy to open a PR for the container workflow first — or a full migration if preferred.

Technical details (for context)

In my fork, I’ve updated:

  • The container workflow YAML to:
    • Use cosign v4
    • Generate SLSA Provenance v1.0 instead of v0.2
    • Maintain full compatibility with GitHub OIDC signing
  • The Go generator code, renamed to avoid conflicts with the existing v0.2 implementation
    (so both v0.2 and v1 generators can coexist if desired)

You can view the changes here:
➡️ 1xor3us/slsa-github-generator
to compare with the main branch and see the diff.

Have a great day.

Metadata

Metadata

Assignees

No one assigned

    Labels

    status:triageIssue that has not been triagedtype:featureNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions