Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Sign the release checksums and container images with Cosign and GitHub OIDC #2303

Closed
8 tasks done
Tracked by #2308
stefanprodan opened this issue Jan 18, 2022 · 0 comments
Closed
8 tasks done
Tracked by #2308

Sign the release checksums and container images with Cosign and GitHub OIDC #2303

stefanprodan opened this issue Jan 18, 2022 · 0 comments
Assignees
@stefanprodan
Labels
area/ci CI related issues and pull requests enhancement New feature or request

Comments

@stefanprodan
Copy link
Member

stefanprodan commented Jan 18, 2022
edited
Loading

We should use Cosign keyless signing (using GitHub Actions OIDC) to allow our users to verify the authenticity of Flux binaries, manifests, SBOM files and container images. Besides the the Flux artifacts, all the GitOps Toolkit controller images and release artifacts should also be signed in CI using GitHub Actions, Cosign and GoReleaser.

Projects:

  • flux2
  • source-controller
  • kustomize-controller
  • helm-controller
  • notification-controller
  • image-reflector-controller
  • image-automation-controller
  • source-watcher
@stefanprodan stefanprodan added enhancement New feature or request area/ci CI related issues and pull requests labels Jan 18, 2022
@stefanprodan stefanprodan self-assigned this Jan 18, 2022
This was referenced Jan 18, 2022
Merged
Merged
Closed
Merged
Merged
Merged
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stefanprodan stefanprodan

Labels
area/ci CI related issues and pull requests enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@stefanprodan