Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SLSA Attestation to be generated with new releases. #2282

Open
shafeeqes opened this issue Dec 18, 2023 · 8 comments
Open

SLSA Attestation to be generated with new releases. #2282

shafeeqes opened this issue Dec 18, 2023 · 8 comments
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature. triage/accepted Indicates an issue or PR is ready to be actively worked on.

Comments

@shafeeqes
Copy link
Contributor

What would you like to be added:
SLSA Attestation to be generated with new releases.

Why is this needed:
SLSA's are resources that show evidence that the release consumers receive has not been tampered with during the supply chain process. Implementation of a tool such as https://github.com/kubernetes-sigs/tejolote into the CI process for builds will generate the SLSA and attach it to the release.

Describe the solution you'd like:
Example implementation:
https://github.com/openvex/vexctl/blob/13fa934d15cb49ad2981ce4d3f5e6ecbef599919/.github/workflows/release.yaml#L84-L88
But currently there is no release workflow for this repo.
Maybe we can use a tool like https://github.com/actions/upload-artifact to push it to the artifacts when a new tag is created.

Additional context
Part of #2274

@shafeeqes shafeeqes added the kind/feature Categorizes issue or PR as related to a new feature. label Dec 18, 2023
@k8s-ci-robot k8s-ci-robot added the needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. label Dec 18, 2023
@shafeeqes
Copy link
Contributor Author

/cc @mrueg

@dashpole
Copy link
Contributor

/assign @rexagod @mrueg
/triage accepted

@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jan 11, 2024
@rexagod
Copy link
Member

rexagod commented Jan 16, 2024

@shafeeqes I believe this was partially accomplished in #2276. Are you working on this?

@shafeeqes
Copy link
Contributor Author

@shafeeqes I believe this was partially accomplished in #2276.

I don't think so.

Are you working on this?

No, as explained in the issue, currently there is no release workflow for this repo.

@rexagod
Copy link
Member

rexagod commented Jan 17, 2024

I don't think so.

I assumed it since #2276 mentions the following.

Fixes part of #2274.

No, as explained in the issue, currently there is no release workflow for this repo.

I believe we do not necessarily need a release workflow to accomplish this. As mentioned in the same description: Maybe we can use a tool like [actions/upload-artifact](https://github.com/actions/upload-artifact) to push it to the artifacts when a new tag is created. Can go ahead with that, in the same manner that's been done for generate-vex here: https://github.com/kubernetes/kube-state-metrics/pull/2276/files#diff-6efe93b09c83080c15a150bd75e10676413db9a685079951aa16608ff458c3a2R15?

@ricardoapl
Copy link
Member

@shafeeqes are you working on this issue? If not, do you mind if I assign it to me?

@shafeeqes
Copy link
Contributor Author

@shafeeqes are you working on this issue? If not, do you mind if I assign it to me?

Hi, Please do so, I am currently lacking capacity to work on this issue.

@ricardoapl
Copy link
Member

/assign

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Development

No branches or pull requests

6 participants