Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Introduce Official Bandit Images (#1088)
* Introduce Official Bandit Images Folks are using various bandit images kindly built by others, but we should really start providing one of our that builds directly from source (the others use pip install). Should a different container image be subjected to some sort of attack (maintainer take over), this could lead to some serious problems for those using Bandit. This PR includes an action to build, publish and sign the image using sigstore cosign. This way (should they wish) users can verify the source of origin for these images were the offcial repo. You can see an example of this below, where I tested the action in my own test fork (bandit-test): https://search.sigstore.dev/?logIndex=61918446 Signed-off-by: Luke Hinds <luke@stacklok.com> * Update tags for other actions Signed-off-by: Luke Hinds <luke@stacklok.com> * Fix TOX Signed-off-by: Luke Hinds <luke@stacklok.com> * Single python release and review points Signed-off-by: Luke Hinds <luke@stacklok.com> * Single python release and review points Signed-off-by: Luke Hinds <luke@stacklok.com> * Remove arch from container tag Signed-off-by: Luke Hinds <luke@stacklok.com> * Remove arch from container tag Signed-off-by: Luke Hinds <luke@stacklok.com> * Missed text referencing arch tag Signed-off-by: Luke Hinds <luke@stacklok.com> * Add workflow dispatch * On schedule or dispatch, build from last release * Pin to digests --------- Signed-off-by: Luke Hinds <luke@stacklok.com>
- Loading branch information