SLSA Attestation to be generated with new releases. #2282
Comments
shafeeqes
added
the
kind/feature
k8s-ci-robot
added
the
needs-triage
|
/cc @mrueg |
k8s-ci-robot
added
triage/accepted
|
@shafeeqes I believe this was partially accomplished in #2276. Are you working on this? |
I don't think so.
No, as explained in the issue, currently there is no release workflow for this repo. |
I assumed it since #2276 mentions the following.
I believe we do not necessarily need a release workflow to accomplish this. As mentioned in the same description: |
|
@shafeeqes are you working on this issue? If not, do you mind if I assign it to me? |
Hi, Please do so, I am currently lacking capacity to work on this issue. |
|
/assign |
What would you like to be added:
SLSA Attestation to be generated with new releases.
Why is this needed:
SLSA's are resources that show evidence that the release consumers receive has not been tampered with during the supply chain process. Implementation of a tool such as https://github.com/kubernetes-sigs/tejolote into the CI process for builds will generate the SLSA and attach it to the release.
Describe the solution you'd like:
Example implementation:
https://github.com/openvex/vexctl/blob/13fa934d15cb49ad2981ce4d3f5e6ecbef599919/.github/workflows/release.yaml#L84-L88
But currently there is no
releaseworkflow for this repo.Maybe we can use a tool like https://github.com/actions/upload-artifact to push it to the artifacts when a new tag is created.
Additional context
Part of #2274
The text was updated successfully, but these errors were encountered: