k8s-triage-robot
commented
2 years ago The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:
- After 90d of inactivity,
lifecycle/staleis applied - After 30d of inactivity since
lifecycle/stalewas applied,lifecycle/rottenis applied - After 30d of inactivity since
lifecycle/rottenwas applied, the issue is closed
You can:
- Mark this issue or PR as fresh with
/remove-lifecycle stale - Mark this issue or PR as rotten with
/lifecycle rotten - Close this issue or PR with
/close - Offer to help out with Issue Triage
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
puerco
xmudrii
What would you like to be added:
When an image is promoted, kpromo pushes all signatures to the production registry. Technically, this means the promoter will copy all .sig layers associated with a promoted digest to the production registries.
We need to do the same for .att layers containing attached attestations making claims about the images (defined in the Sigstore Attestation Spec).
Why is this needed:
We are planning to split out the Kubernetes container images SBOMs into their own documents which should be more lightweight and scoped. In addition, we will attest and attach the sbom to the images at stage time.