-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SLSA Attestation to be generated with new releases. #2282
Comments
/cc @mrueg |
@shafeeqes I believe this was partially accomplished in #2276. Are you working on this? |
I don't think so.
No, as explained in the issue, currently there is no release workflow for this repo. |
I assumed it since #2276 mentions the following.
I believe we do not necessarily need a release workflow to accomplish this. As mentioned in the same description: |
@shafeeqes are you working on this issue? If not, do you mind if I assign it to me? |
Hi, Please do so, I am currently lacking capacity to work on this issue. |
/assign |
What would you like to be added:
SLSA Attestation to be generated with new releases.
Why is this needed:
SLSA's are resources that show evidence that the release consumers receive has not been tampered with during the supply chain process. Implementation of a tool such as https://github.com/kubernetes-sigs/tejolote into the CI process for builds will generate the SLSA and attach it to the release.
Describe the solution you'd like:
Example implementation:
https://github.com/openvex/vexctl/blob/13fa934d15cb49ad2981ce4d3f5e6ecbef599919/.github/workflows/release.yaml#L84-L88
But currently there is no
release
workflow for this repo.Maybe we can use a tool like https://github.com/actions/upload-artifact to push it to the artifacts when a new tag is created.
Additional context
Part of #2274
The text was updated successfully, but these errors were encountered: