helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon prometheus-community

[All/CI/Security] Provide Provenance / Sign Helm Charts

Open PrivatePuffin opened this issue 2 years ago • 3 comments

Is your feature request related to a problem ?

With Supply chain attacks on the rise, it's important to ensure all artifacts, including Helm Charts, are signed aka provide provenance files.

Describe the solution you'd like.

Adapt the CI to provide provenance files on each release of each Helm Chart.

Describe alternatives you've considered.

Continuing without these additional security measures.

Additional context.

The amount of effort required is minimal (a few hours work tops) and it significantly increases the professionality and security practices of these helm charts

More info: https://helm.sh/docs/topics/provenance/

Example release pipeline using provenance: https://github.com/truecharts/helm-staging/blob/main/.github/workflows/release.yaml

PrivatePuffin avatar Nov 09 '23 09:11 PrivatePuffin

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

stale[bot] avatar Dec 15 '23 06:12 stale[bot]

This issue is being automatically closed due to inactivity.

stale[bot] avatar Apr 26 '25 12:04 stale[bot]

not stale

PrivatePuffin avatar Apr 27 '25 10:04 PrivatePuffin

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Any further update will cause the issue/pull request to no longer be considered stale. Thank you for your contributions.

stale[bot] avatar Jun 26 '25 23:06 stale[bot]

Fuck the bot. (maybe by cursing it actually gets attention)

PrivatePuffin avatar Jun 27 '25 13:06 PrivatePuffin

We can look into signing the helm charts that are pushed as OCI artifacts. Unlike the gpg based provenance which adoption rate is very low, sign the artifacts with cosign seems a more modern way.

We will add this to the Dev Summit agenda.

jkroepke avatar Jun 29 '25 11:06 jkroepke

We can look into signing the helm charts that are pushed as OCI artifacts. Unlike the gpg based provenance which adoption rate is very low, sign the artifacts with cosign seems a more modern way.

We will add this to the Dev Summit agenda.

Thanks, can you also please stop the bot from staling?

PrivatePuffin avatar Jun 29 '25 22:06 PrivatePuffin