26481193910
95%

Ran 26 May 2026 11:36PM UTC

Jobs 1

Files 89

Run time 1min

Badge

Embed ▾

Committed 26 May 2026 11:30PM UTC coverage: 94.938%. Remained the same

Build # 26481193910

Build Type

push

github

Committed by

web-flow

Commit Message

docs(security): document the SLSA-generator tag-ref exception (#540)

OpenSSF Scorecard's Pinned-Dependencies check flags our tag-ref on
slsa-framework/slsa-github-generator (`@v2.1.0`) — but the generator's
generate-builder.sh explicitly rejects SHA pins and exits 2 with
"Invalid ref: <sha>. Expected ref of the form refs/tags/vX.Y.Z". Two
upstream projects with overlapping mandates are at impasse here, and
the community consensus (including scorecard's own goreleaser.yaml) is
to accept the ~1-point Pinned-Dependencies deduction.

Add a "Supply chain integrity" section to SECURITY.md that:
- Describes the SLSA v1.0 build provenance we ship (link to the
  existing docs/release-signatures.md verification recipe).
- Documents the SLSA generator exception with upstream issue links
  (slsa-github-generator#722, slsa-verifier#12, scorecard#2174,
  scorecard#1406) so the deduction is auditable.
- Notes that scorecard's own project does the same thing, with a link
  to their goreleaser.yaml as canonical precedent.

Tighten the inline comment at the `uses:` line in release-sign.yml to
point at SECURITY.md for the full rationale rather than duplicating it.

Coverage Stats

13486 of 14205 relevant lines covered (94.94%)

387954.91 hits per line

Jobs

ID	Job ID	Ran	Files	Coverage
1	26481193910.1	26 May 2026 11:36PM UTC	89	94.94	GitHub Action Run

prisma-risk / tsoracle / 26481193910
95%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 26481193910

prisma-risk / tsoracle / 26481193910 95%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 26481193910

prisma-risk / tsoracle / 26481193910
95%

README BADGES
x