Skip to content

SLSA Attestation to be generated with new releases. #2282

New issue
New issue
Open
Open
SLSA Attestation to be generated with new releases.#2282
Assignees
mruegrexagodricardoapl
Labels
kind/featureCategorizes issue or PR as related to a new feature.lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.
@shafeeqes

Description

@shafeeqes
shafeeqes
opened on Dec 18, 2023

What would you like to be added:
SLSA Attestation to be generated with new releases.

Why is this needed:
SLSA's are resources that show evidence that the release consumers receive has not been tampered with during the supply chain process. Implementation of a tool such as https://github.com/kubernetes-sigs/tejolote into the CI process for builds will generate the SLSA and attach it to the release.

Describe the solution you'd like:
Example implementation:
https://github.com/openvex/vexctl/blob/13fa934d15cb49ad2981ce4d3f5e6ecbef599919/.github/workflows/release.yaml#L84-L88
But currently there is no release workflow for this repo.
Maybe we can use a tool like https://github.com/actions/upload-artifact to push it to the artifacts when a new tag is created.

Additional context
Part of #2274

Metadata

Metadata

Assignees

Labels

kind/featureCategorizes issue or PR as related to a new feature.lifecycle/staleDenotes an issue or PR has remained open with no activity and has become stale.needs-triageIndicates an issue or PR lacks a `triage/foo` label and requires one.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions