tektoncd
Start signing all of our releases (all projects, full and nightly)
Feature request
Tekton Chains is running in our dogfooding cluster and currently signing pipelines releases. We should add signing for our other releases as well. Since they share the same or very similar publish tasks we should be able to replicate the needed changes across them all.
Here's the IMAGES field we added for pipelines, which is then picked up by chains to perform the signing: https://github.com/tektoncd/pipeline/blob/main/tekton/publish.yaml#L57-L60
Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle stale
Send feedback to tektoncd/plumbing.
This is done for Dashboard since https://github.com/tektoncd/dashboard/issues/1969 (Nov 11th for nightly, v0.22 for releases)
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.
/lifecycle rotten
Send feedback to tektoncd/plumbing.
Signing our releases - and more generally meeting slsa.dev requirements for components published by Tekton - is something we've discussed having in the context of the new s3c working group (https://github.com/tektoncd/community/pull/633) so I think it's fair to consider this something we still want to do.
/lifecycle frozen
@afrittoli suggests we make a list of the things we sign and do not yet sign. perhaps a table in this issue, would be a great help.
