VolkRun CodeQL

[volkTRhacV]

This workflow generates SLSA provenance files for projects, satisfying level 3 requirements. It includes steps for building artifacts and generating provenance subjects.

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 0afce43. Configure here.}

[cursor]

Output variable name mismatch breaks provenance generation

High Severity

The build job output references steps.hash.outputs.digests but the hash step writes to hashes (not digests), so needs.build.outputs.digests will always be empty. The provenance job then receives an empty base64-subjects, making the entire SLSA provenance workflow non-functional.

Additional Locations (1)

• .github/workflows/generator-generic-ossf-slsa3-publish.yml#L54-L55

 

^{Reviewed by Cursor Bugbot for commit 0afce43. Configure here.}

[cursor]

Placeholder artifacts instead of actual project build

High Severity

The build step creates dummy files (echo "artifact1" > artifact1) instead of building the actual project artifacts. This is unmodified SLSA template boilerplate. The workflow triggers on releases and workflow_dispatch, so it would generate provenance for meaningless placeholder files rather than real build outputs.

 

^{Reviewed by Cursor Bugbot for commit 0afce43. Configure here.}

[sentry]

Bug: The build job references steps.hash.outputs.digests, but the hash step produces an output named hashes, causing the digests output to be empty.
_{Severity: HIGH}

Suggested Fix

In the build job's outputs block, change the reference from steps.hash.outputs.digests to steps.hash.outputs.hashes to match the actual output name produced by the hash step.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/generator-generic-ossf-slsa3-publish.yml#L23

Potential issue: The `build` job's `outputs` block maps the `digests` output to
`steps.hash.outputs.digests`. However, the step with `id: hash` writes its output to a
key named `hashes`. Because `steps.hash.outputs.digests` does not exist, the job-level
`digests` output resolves to an empty string. This empty string is then passed as the
`base64-subjects` input to the SLSA provenance generator, which will cause it to fail or
generate incorrect provenance for zero artifacts.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[sentry]

Bug: The workflow builds placeholder files (artifact1, artifact2) instead of the project's actual release artifacts, generating useless SLSA provenance for them.
_{Severity: HIGH}

Suggested Fix

Replace the placeholder commands that create artifact1 and artifact2 with the actual build commands required to generate the project's release artifacts, as seen in the release.yml workflow.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/generator-generic-ossf-slsa3-publish.yml#L34-L37

Potential issue: The "Build artifacts" step is configured to create two dummy
placeholder files, `artifact1` and `artifact2`, instead of building the project's actual
release artifacts (e.g., `.tgz` packages, binaries). As a result, the workflow generates
and uploads SLSA provenance attesting to these meaningless files, completely defeating
the purpose of supply-chain provenance as it does not cover the real artifacts
distributed in a release.

_{Did we get this right? 👍 / 👎 to inform future reviews.}

[sentry]

Bug: Manually triggering the SLSA provenance workflow via workflow_dispatch will fail to upload the provenance artifact because the slsa-github-generator@v1.4.0 action cannot determine the release tag.
_{Severity: MEDIUM}

Suggested Fix

To support manual triggers, upgrade the slsa-framework/slsa-github-generator action to v1.5.0 or later and provide the upload-tag-name input. If manual dispatch is not a required feature, remove the workflow_dispatch trigger to prevent this failure path.

Prompt for AI Agent

Review the code at the location below. A potential bug has been identified by an AI
agent. Verify if this is a real issue. If it is, propose a fix; if not, explain why it's
not valid.

Location: .github/workflows/generator-generic-ossf-slsa3-publish.yml#L15-L16

Potential issue: The SLSA provenance workflow `generator-generic-ossf-slsa3-publish.yml`
is configured with both a `release` trigger and a `workflow_dispatch` trigger. When the
workflow is manually triggered via `workflow_dispatch`, there is no associated GitHub
Release. The `slsa-framework/slsa-github-generator` action, pinned to version `v1.4.0`,
will either fail with an internal error or silently skip uploading the provenance when
`upload-assets` is set to `true` without a release context. This happens because the
action cannot determine the release tag to upload the assets to, and the
`upload-tag-name` input, which could serve as a workaround, is not provided.
Consequently, manually running this workflow will not result in the SLSA provenance
being uploaded as intended.