Add SLSA provenance to your releases

[udf2457]

trafficstars

What would you like to be added?

Please add SLSA provenance to your releases.

It is easy to do on on Github:

https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-goreleaser https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator

Background info: https://docs.sigstore.dev/signing/overview/

Why is this needed?

Improving robustness against supply-chain attacks.

[serathius]

Contributions are welcomed

[udf2457]

Any further consideration given to moving to goreleaser @serathius as mentioned in #13980 ?

Adding provenance is a piece of cake with goreleaser.

I'm not sure why your present release.yml is why it is like it is ? Perhaps it predates goreleaser ? But tweaking your present release.yml to add provenance could be a time-consuming endeavour (at least for me, because I'm not familiar with the random shell scripts you are calling out to).

[serathius]

Up to date release instructions are in https://github.com/etcd-io/etcd/blob/main/Documentation/contributor-guide/release.md

[udf2457]

Github announced this yesterday, so will need to compare it to the process originally linked to see if it makes it more straightforward to implement.

[ArkaSaha30]

Hello @serathius @udf2457 👋 I am interested to work on this issue

[udf2457]

Hi @ArkaSaha30

I am currently focused on some high-priority $work projects, so your offer of assistance is much appreciated @ArkaSaha30 😉

Hopefully when things quiet down a little at $work I will be able to return to this !

[serathius]

Before jumping into coding, please start from reading the etcd release documentation to understand our current process and please propose what changes need to be made to provide SLSA provenance.