Generate SLSA Attestations with new releases

[Gephrie]

What would you like to be added: SLSA Attestation Generated with new releases.

Why is this needed:

SLSA's are resources that show evidence that the release consumers receive has not been tampered with during the supply chain process.

Completion requirements:

Implementation of a tool such as https://github.com/kubernetes-sigs/tejolote into the CI process for builds. This will generate the SLSA and attach it to the release.

This enhancement requires the following artifacts:

• [ ] Design doc
• [ ] API change
• [ ] Docs update

The artifacts should be linked in subsequent comments.

[Gephrie]

Tagging @upodroid from K8 Security Slam 2023 #SecuritySlam

[ArangoGutierrez]

/cc @puerco

[ArangoGutierrez]

/sig release

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[tenzen-y]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[tenzen-y]

/remove-lifecycle stale /good-first-issue

[k8s-ci-robot]

@tenzen-y: This request has been marked as suitable for new contributors.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed by commenting with the /remove-good-first-issue command.

In response to [this](https://github.com/kubernetes-sigs/kueue/issues/1466): >/remove-lifecycle stale >/good-first-issue > Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.

[tannerjones4075]

I would like to help and contribute :) There is an open-source provenance tool called Witness that can generate attestations. There is a Github action that could be implemented in the CI process. Thoughts?

[tenzen-y]

I would like to help and contribute :) There is an open-source provenance tool called Witness that can generate attestations. There is a Github action that could be implemented in the CI process. Thoughts?

Sure, feel free to take this issue with /assign comment.