SLSA Attestation to be generated with new releases.

kubernetes / kube-state-metrics

Add-on agent to generate and expose cluster-level metrics.

https://kubernetes.io/docs/concepts/cluster-administration/kube-state-metrics/

Apache License 2.0

5.21k stars 1.93k forks source link

SLSA Attestation to be generated with new releases. #2282

Open shafeeqes opened 6 months ago

shafeeqes commented 6 months ago

What would you like to be added: SLSA Attestation to be generated with new releases.

Why is this needed: SLSA's are resources that show evidence that the release consumers receive has not been tampered with during the supply chain process. Implementation of a tool such as https://github.com/kubernetes-sigs/tejolote into the CI process for builds will generate the SLSA and attach it to the release.

Describe the solution you'd like: Example implementation: https://github.com/openvex/vexctl/blob/13fa934d15cb49ad2981ce4d3f5e6ecbef599919/.github/workflows/release.yaml#L84-L88 But currently there is no release workflow for this repo. Maybe we can use a tool like https://github.com/actions/upload-artifact to push it to the artifacts when a new tag is created.

Additional context Part of #2274

shafeeqes commented 6 months ago

/cc @mrueg

dashpole commented 5 months ago

/assign @rexagod @mrueg /triage accepted

rexagod commented 5 months ago

@shafeeqes I believe this was partially accomplished in https://github.com/kubernetes/kube-state-metrics/pull/2276. Are you working on this?

shafeeqes commented 5 months ago

@shafeeqes I believe this was partially accomplished in #2276.

I don't think so.

Are you working on this?

No, as explained in the issue, currently there is no release workflow for this repo.

rexagod commented 5 months ago

I don't think so.

I assumed it since https://github.com/kubernetes/kube-state-metrics/pull/2276 mentions the following.

Fixes part of https://github.com/kubernetes/kube-state-metrics/issues/2274.

No, as explained in the issue, currently there is no release workflow for this repo.

I believe we do not necessarily need a release workflow to accomplish this. As mentioned in the same description: Maybe we can use a tool like [actions/upload-artifact](https://github.com/actions/upload-artifact) to push it to the artifacts when a new tag is created. Can go ahead with that, in the same manner that's been done for generate-vex here: https://github.com/kubernetes/kube-state-metrics/pull/2276/files#diff-6efe93b09c83080c15a150bd75e10676413db9a685079951aa16608ff458c3a2R15?

ricardoapl commented 1 month ago

@shafeeqes are you working on this issue? If not, do you mind if I assign it to me?

shafeeqes commented 1 month ago

@shafeeqes are you working on this issue? If not, do you mind if I assign it to me?

Hi, Please do so, I am currently lacking capacity to work on this issue.

ricardoapl commented 1 month ago

/assign