kube-state-metrics icon indicating copy to clipboard operation
kube-state-metrics copied to clipboard

Published 20 hours ago verified publisher icon kubernetes

SLSA Attestation to be generated with new releases.

Open shafeeqes opened this issue 1 year ago • 9 comments

What would you like to be added: SLSA Attestation to be generated with new releases.

Why is this needed: SLSA's are resources that show evidence that the release consumers receive has not been tampered with during the supply chain process. Implementation of a tool such as https://github.com/kubernetes-sigs/tejolote into the CI process for builds will generate the SLSA and attach it to the release.

Describe the solution you'd like: Example implementation: https://github.com/openvex/vexctl/blob/13fa934d15cb49ad2981ce4d3f5e6ecbef599919/.github/workflows/release.yaml#L84-L88 But currently there is no release workflow for this repo. Maybe we can use a tool like https://github.com/actions/upload-artifact to push it to the artifacts when a new tag is created.

Additional context Part of #2274

shafeeqes avatar Dec 18 '23 06:12 shafeeqes

/cc @mrueg

shafeeqes avatar Dec 18 '23 06:12 shafeeqes

/assign @rexagod @mrueg /triage accepted

dashpole avatar Jan 11 '24 17:01 dashpole

@shafeeqes I believe this was partially accomplished in https://github.com/kubernetes/kube-state-metrics/pull/2276. Are you working on this?

rexagod avatar Jan 16 '24 09:01 rexagod

@shafeeqes I believe this was partially accomplished in #2276.

I don't think so.

Are you working on this?

No, as explained in the issue, currently there is no release workflow for this repo.

shafeeqes avatar Jan 17 '24 06:01 shafeeqes

I don't think so.

I assumed it since https://github.com/kubernetes/kube-state-metrics/pull/2276 mentions the following.

Fixes part of https://github.com/kubernetes/kube-state-metrics/issues/2274.

No, as explained in the issue, currently there is no release workflow for this repo.

I believe we do not necessarily need a release workflow to accomplish this. As mentioned in the same description: Maybe we can use a tool like [actions/upload-artifact](https://github.com/actions/upload-artifact) to push it to the artifacts when a new tag is created. Can go ahead with that, in the same manner that's been done for generate-vex here: https://github.com/kubernetes/kube-state-metrics/pull/2276/files#diff-6efe93b09c83080c15a150bd75e10676413db9a685079951aa16608ff458c3a2R15?

rexagod avatar Jan 17 '24 08:01 rexagod

@shafeeqes are you working on this issue? If not, do you mind if I assign it to me?

ricardoapl avatar May 16 '24 08:05 ricardoapl

@shafeeqes are you working on this issue? If not, do you mind if I assign it to me?

Hi, Please do so, I am currently lacking capacity to work on this issue.

shafeeqes avatar May 16 '24 08:05 shafeeqes

/assign

ricardoapl avatar May 16 '24 08:05 ricardoapl