[charts] SLSA compatibility for image dependencies

[nicholasSUSE]

The work for making charts-repo compliant with SLSA has already started here:

• [release-v2.10] adding slsa file for bypassing for chart slsa compliance charts#4760
• Slsa charts bypass charts-build-scripts#153

Problem

The solution previously implemented is for specific images hard-coded into a file called slsa.yaml.
The problem is that some images were not hard-coded and were overwritten, this was a miscommunication problem.

We have to bypass all dependency images for one chart, if these images are also used by another chart it must be bypassed as well.

Solution

I am still working on this, but probably the solution will be to look if the image is already present in the Prime registry and not overwrite it.

[nicholasSUSE]

I had another meeting with @pjbgf

The solution that we are currently working on is:

• List all released image dependencies.
• Check each one individually to see if it is co-signed or not.
• If it is co-signed bypass the sync to the prime-registry
• If not just sync it from docker.io -> primer

[nicholasSUSE]

This solution is very complex from the point of view that we are rate-limited at docker.io requests.

So we will do it only for the git diff related to the new charts and image dependencies.