Add functionality to output the UUID for log lookup purposes

.github/workflows/generator_generic_slsa3.yml

@@ -97,6 +97,9 @@ on:
       provenance-name:
         description: "The artifact name of the signed provenance. (A file with the intoto.jsonl extension)."
         value: ${{ jobs.generator.outputs.provenance-name }}
+      provenance-rekor-uuid:
+        description: "The Rekor UUID is a unique identifier that can be used to search for and view specific log entry details on the Rekor Search UI."
+        value: ${{ jobs.generator.outputs.uuid }}
       # Note: we use this output because there is no buildt-in `outcome` and `result` is always `success`
       # if `continue-on-error` is set to `true`.
       outcome:
@@ -145,6 +148,7 @@ jobs:
       outcome: ${{ steps.final.outputs.outcome }}
       provenance-sha256: ${{ steps.sign-prov.outputs.provenance-sha256 }}
       provenance-name: ${{ steps.sign-prov.outputs.provenance-name }}
+      uuid: ${{ steps.sign-prov.outputs.uuid }}
       subject-artifact-name: ${{ steps.metadata.outputs.artifact_name }}
     runs-on: ubuntu-latest
     needs: [detect-env]
@@ -234,7 +238,10 @@ jobs:
           # number of subjects based on in-toto attestation bundle file naming conventions.
           # See: https://github.com/in-toto/attestation/blob/main/spec/bundle.md#file-naming-convention
           # NOTE: The attest commmand outputs the provenance-name and provenance-sha256
-          "$GITHUB_WORKSPACE/$BUILDER_BINARY" attest --subjects-filename "${SUBJECTS_FILENAME}" -g "$untrusted_prov_name"
+          output=$("$GITHUB_WORKSPACE/$BUILDER_BINARY" attest --subjects-filename "${SUBJECTS_FILENAME}" -g "$untrusted_prov_name")
+          echo "$output"
+          uuid=$(echo "$output" | grep -oP 'UUID \K[0-9a-f]{80}')
+          echo "uuid=$uuid" >> $GITHUB_OUTPUT
 
       - name: Upload the signed provenance
         id: upload-prov

CHANGELOG.md

@@ -11,6 +11,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - [Unreleased](#unreleased)
   - [Unreleased: Vars context recorded in provenance](#unreleased-vars-context-recorded-in-provenance)
+  - [Unreleased: Provenance Rekor UUID Output](#unreleased-provenance-rekor-uuid-output)
 - [v2.0.0](#v200)
   - [v2.0.0: Breaking Change: upload-artifact and download-artifact](#v200-breaking-change-upload-artifact-and-download-artifact)
   - [v2.0.0: Breaking Change: attestation-name Workflow Input and Output](#v200-breaking-change-attestation-name-workflow-input-and-output)
@@ -112,6 +113,11 @@ duplication."
   container generators. The `vars` context cannot affect the build in the Go
   builder so it is not recorded.
 
+### Unreleased: Provenance Rekor UUID Output
+
+- **Added**: The workflow now includes the output of `provenance-rekor-uuid` for log lookup purposes.
+  This enhancement ensures that each build and deployment can be traced and audited using a unique identifier.
+
 ## v2.0.0
 
 ### v2.0.0: Breaking Change: upload-artifact and download-artifact

internal/builders/generic/README.md

@@ -272,12 +272,11 @@ The [generic workflow](https://github.com/slsa-framework/slsa-github-generator/b
 
 ### Workflow Outputs
 
-The [generic workflow](https://github.com/slsa-framework/slsa-github-generator/blob/main/.github/workflows/generator_generic_slsa3.yml) produces the following outputs:
-
-| Name              | Description                                                                                     |
-| ----------------- | ----------------------------------------------------------------------------------------------- |
-| `provenance-name` | The artifact name of the signed provenance.                                                     |
-| `outcome`         | If `continue-on-error` is `true`, will contain the outcome of the run (`success` or `failure`). |
+| Name                    | Description                                                                                                                      |
+| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------- |
+| `provenance-name`       | The artifact name of the signed provenance.                                                                                      |
+| `provenance-rekor-uuid` | The Rekor UUID is a unique identifier that can be used to search for and view specific log entry details on the Rekor Search UI. |
+| `outcome`               | If `continue-on-error` is `true`, will contain the outcome of the run (`success` or `failure`).                                  |
 
 ### Provenance Format