-
-
Notifications
You must be signed in to change notification settings - Fork 349
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
push package checskums to sigstore/rekor as part of CD #5957
Comments
monperrus
changed the title
push package checskums to sigstore as part of CD
push package checskums to sigstore/rekor as part of CD
Aug 29, 2024
potential option: https://github.com/actions/attest-build-provenance |
@RafDevX and I would like to work on this issue. May we be assigned? |
@RafDevX you have to write any comment here before I can asign you in the github UI. |
Hi, confirm I'm also working on this |
RafDevX
added a commit
to RafDevX/spoon
that referenced
this issue
Oct 13, 2024
This makes it so all release pipelines attest the artifacts they build, by signing the corresponding checksums. Optionally release workflows may opt out of this behavior, which in this commit is done for `nightly` as specified by @monperrus on the linked issue. Closes INRIA#5957 Co-authored-by: ludvigch <ludvigch@kth.se>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
the Spoon workflows are meant to be state-of-the-art.
What's missing today is to push package checskums to sigstore/rekor as part of our CD pipelines (both beta and stable).
The text was updated successfully, but these errors were encountered: