keep github action logs forever for transparency and auditability of published software packages

[monperrus]

Select Topic Area

Bug

Body

Summary:
Github Actions logs are deleted after three months. This reduces transparency and auditability of CI/CD jobs. This is a software supply chain security problem.

Attack model:
An attacker subverts a CI or a CD job. The attack may leave traces in the logs. If the attack goes undetected for three months, all traces are deleted and the attacker is safe. It is impossible to audit automated package releases from the past.

Mitigation:
Github should keep the logs of all CI/CD jobs, or at least all of them in repos which are deployed to package repositories such as NPM/Pypi/Maven/Dockerhub/etc.

[monperrus]

For auditing build attestations, a high priority task is to save the logs for jobs which have a build attestation on rekor.

[ivanperez-keera]

We have the same problem in two projects. We can't switch to github because the retention period is limited.

[behnazh-w]

This issue poses a significant limitation for attestations generated by the GitHub artifact attestation feature, npm, or other generators, and does not align with the goal of maintaining verifiable provenances.

While workflow runs that build attestations might be prioritized, this issue represents a broader challenge for any project that has implemented an automated build and release process for auditing purposes

I have also created an issue, elaborating on the problem: https://github.com/orgs/community/discussions/138249

[Steve-Glass]

This issue poses a significant limitation for attestations generated by the GitHub artifact attestation feature, npm, or other generators, and does not align with the goal of maintaining verifiable provenances.

While workflow runs that build attestations might be prioritized, this issue represents a broader challenge for any project that has implemented an automated build and release process for auditing purposes

I have also created an issue, elaborating on the problem: https://github.com/orgs/community/discussions/138249

Since these two threads are related, I am closing this one in favor of tacking this: https://github.com/orgs/community/discussions/138249#discussioncomment-10777079

[Steve-Glass]

All - I am closing this discussion in favor of this for tracking purposes. Please follow there for updates in this area.

[monperrus]

ack, now following #138249