slsa-framework · puerco · Aug 5, 2025 · Jul 30, 2025 · Aug 5, 2025 · Aug 5, 2025
diff --git a/.github/workflows/local_attest.yml b/.github/workflows/local_attest.yml
@@ -10,4 +10,4 @@ jobs:
     permissions:
       contents: write # needed for storing the vsa in the repo.
       id-token: write
-    uses: slsa-framework/slsa-source-poc/.github/workflows/compute_slsa_source.yml@main
+    uses: slsa-framework/source-actions/.github/workflows/compute_slsa_source.yml@main
diff --git a/hack/verify-protos.sh b/hack/verify-protos.sh
@@ -9,4 +9,9 @@ set -o xtrace
 source hack/common.sh
 
 make proto
+
+# Check if the proto definitions need updating
 git diff --exit-code || exit_with_msg "Code from protocol definitions is not up to date. Please run 'make proto' and commit the result"
+
+# Check the format of the proto files
+buf lint || exit_with_msg "The proto files have linting errors. Please run 'buf lint' and fix them before committing"
diff --git a/pkg/policy/policy.pb.go b/pkg/policy/policy.pb.go
diff --git a/pkg/provenance/provenance.pb.go b/pkg/provenance/provenance.pb.go
diff --git a/proto/v1/policy.proto b/proto/v1/policy.proto
@@ -2,50 +2,51 @@
 // SPDX-License-Identifier: Apache-2.0
 
 syntax = "proto3";
-package ampel.v1;
+package in_toto_attestation.predicates.source_provenance.v1;
 
 import "google/protobuf/timestamp.proto";
 
+// buf:lint:ignore PACKAGE_SAME_GO_PACKAGE
 option go_package = "github.com/slsa-framework/slsa-source-poc/pkg/policy";
 
 // The repository policy definition
 message RepoPolicy {
-    string canonical_repo = 1 [json_name="canonical_repo"];
-	repeated ProtectedBranch protected_branches = 2 [json_name="protected_branches"];
-    optional ProtectedTag protected_tag = 3;  
+  string canonical_repo = 1 [json_name = "canonical_repo"];
+  repeated ProtectedBranch protected_branches = 2 [json_name = "protected_branches"];
+  optional ProtectedTag protected_tag = 3;
 }
 
 // When a branch requires multiple controls, they must all be enabled
 // at or before 'since'.
 message ProtectedBranch {
-    string name = 1;
-    google.protobuf.Timestamp since = 2;
-    // We override this string with slsa.SlsaSourceLevel
-    string target_slsa_source_level = 3; 
-	bool require_review = 4;
-	repeated OrgStatusCheckControl org_status_check_controls = 5 [json_name="org_status_check_controls"];
+  string name = 1;
+  google.protobuf.Timestamp since = 2;
+  // We override this string with slsa.SlsaSourceLevel
+  string target_slsa_source_level = 3;
+  bool require_review = 4;
+  repeated OrgStatusCheckControl org_status_check_controls = 5 [json_name = "org_status_check_controls"];
 }
 
 // The controls required for protected tags.
 message ProtectedTag {
-    google.protobuf.Timestamp since = 1;
-    bool tag_hygiene = 2;
+  google.protobuf.Timestamp since = 1;
+  bool tag_hygiene = 2;
 }
 
 // Used by orgs to require that specific 'checks' are run on protected
 // branches and to associate those checks with a control name to include
 // in provenance and VSAs.
 // https://docs.github.com/en/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#require-status-checks-to-pass-before-merging
-message OrgStatusCheckControl  {
-	// The property to record in the VSA if the conditions are met.
-	// MUST start with `ORG_SOURCE_`.
-    // We'll overide this with slsa.ControlName
-    string property_name = 1;
-
-	// These controls have their own start time to enable orgs to enable
-	// new ones without violating continuity on other controls.
-	google.protobuf.Timestamp since = 2;
-
-	// The name of the 'Status Check' as reported in the GitHub UI & API.
-	string check_name = 3;
+message OrgStatusCheckControl {
+  // The property to record in the VSA if the conditions are met.
+  // MUST start with `ORG_SOURCE_`.
+  // We'll overide this with slsa.ControlName
+  string property_name = 1;
+
+  // These controls have their own start time to enable orgs to enable
+  // new ones without violating continuity on other controls.
+  google.protobuf.Timestamp since = 2;
+
+  // The name of the 'Status Check' as reported in the GitHub UI & API.
+  string check_name = 3;
 }
diff --git a/proto/v1/provenance.proto b/proto/v1/provenance.proto
@@ -2,49 +2,49 @@
 // SPDX-License-Identifier: Apache-2.0
 
 syntax = "proto3";
-package ampel.v1;
+package in_toto_attestation.predicates.source_provenance.v1;
 
 import "google/protobuf/timestamp.proto";
 
+// buf:lint:ignore PACKAGE_SAME_GO_PACKAGE
 option go_package = "github.com/slsa-framework/slsa-source-poc/pkg/provenance";
 
 // The predicate that encodes source provenance data.
 // The git commit this corresponds to is encoded in the surrounding statement.
 message SourceProvenancePred {
-	// The commit preceding 'Commit' in the current context.
-	string prev_commit = 1;
-	string repo_uri = 2;
-    string activity_type = 3;
-    string actor = 4;
-    string branch = 5;
-    optional google.protobuf.Timestamp created_on = 6;
-	// TODO: get the author of the PR (if this was from a PR).
-
-	// The controls enabled at the time this commit was pushed.
-    repeated Control controls = 7;
+  // The commit preceding 'Commit' in the current context.
+  string prev_commit = 1;
+  string repo_uri = 2;
+  string activity_type = 3;
+  string actor = 4;
+  string branch = 5;
+  optional google.protobuf.Timestamp created_on = 6;
+  // TODO: get the author of the PR (if this was from a PR).
+
+  // The controls enabled at the time this commit was pushed.
+  repeated Control controls = 7;
 }
 
-message Control  {
-	// The name of the control
-	string name = 1;
-	// The time from which this control has been continuously enforced/observed.
-    google.protobuf.Timestamp since = 2;
+message Control {
+  // The name of the control
+  string name = 1;
+  // The time from which this control has been continuously enforced/observed.
+  google.protobuf.Timestamp since = 2;
 }
 
 message TagProvenancePred {
-	string repo_uri = 1;
-	string actor = 2;
-	string tag = 3;
-	optional google.protobuf.Timestamp created_on = 4;
-
-	// The tag related controls enabled at the time this tag was created/updated.
-	repeated Control controls = 7;
-	repeated VsaSummary vsa_summaries = 8;
+  string repo_uri = 1;
+  string actor = 2;
+  string tag = 3;
+  optional google.protobuf.Timestamp created_on = 4;
+
+  // The tag related controls enabled at the time this tag was created/updated.
+  repeated Control controls = 7;
+  repeated VsaSummary vsa_summaries = 8;
 }
 
 // Summary of a summary
 message VsaSummary {
-	repeated string source_refs = 1;
-	repeated string verifiedLevels = 2;
+  repeated string source_refs = 1;
+  repeated string verified_levels = 2 [json_name = "verifiedLevels"];
 }
-