Open udf2457 opened 4 months ago
Contributions are welcomed
Any further consideration given to moving to goreleaser @serathius as mentioned in #13980 ?
Adding provenance is a piece of cake with goreleaser.
I'm not sure why your present release.yml
is why it is like it is ? Perhaps it predates goreleaser ? But tweaking your present release.yml
to add provenance could be a time-consuming endeavour (at least for me, because I'm not familiar with the random shell scripts you are calling out to).
Up to date release instructions are in https://github.com/etcd-io/etcd/blob/main/Documentation/contributor-guide/release.md
Github announced this yesterday, so will need to compare it to the process originally linked to see if it makes it more straightforward to implement.
Hello @serathius @udf2457 👋 I am interested to work on this issue
Hi @ArkaSaha30
I am currently focused on some high-priority $work projects, so your offer of assistance is much appreciated @ArkaSaha30 😉
Hopefully when things quiet down a little at $work I will be able to return to this !
Before jumping into coding, please start from reading the etcd release documentation to understand our current process and please propose what changes need to be made to provide SLSA provenance.
What would you like to be added?
Please add SLSA provenance to your releases.
It is easy to do on on Github:
https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-goreleaser https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator
Background info: https://docs.sigstore.dev/signing/overview/
Why is this needed?
Improving robustness against supply-chain attacks.