search

tektoncd / plumbing

This repo holds configuration for infrastructure used across the tektoncd org 🏗️
Apache License 2.0
60 stars 110 forks source link

Start signing all of our releases (all projects, full and nightly) #884

Open ghost opened 3 years ago

ghost commented 3 years ago

Feature request

Tekton Chains is running in our dogfooding cluster and currently signing pipelines releases. We should add signing for our other releases as well. Since they share the same or very similar publish tasks we should be able to replicate the needed changes across them all.

Here's the IMAGES field we added for pipelines, which is then picked up by chains to perform the signing: https://github.com/tektoncd/pipeline/blob/main/tekton/publish.yaml#L57-L60

tekton-robot commented 2 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale with a justification. Stale issues rot after an additional 30d of inactivity and eventually close. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

AlanGreene commented 2 years ago

This is done for Dashboard since https://github.com/tektoncd/dashboard/issues/1969 (Nov 11th for nightly, v0.22 for releases)

tekton-robot commented 2 years ago

Stale issues rot after 30d of inactivity. Mark the issue as fresh with /remove-lifecycle rotten with a justification. Rotten issues close after an additional 30d of inactivity. If this issue is safe to close now please do so with /close with a justification. If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

bobcatfish commented 2 years ago

Signing our releases - and more generally meeting slsa.dev requirements for components published by Tekton - is something we've discussed having in the context of the new s3c working group (https://github.com/tektoncd/community/pull/633) so I think it's fair to consider this something we still want to do.

/lifecycle frozen

xchapter7x commented 2 years ago

@afrittoli suggests we make a list of the things we sign and do not yet sign. perhaps a table in this issue, would be a great help.

vdemeester commented 1 year ago

/area roadmap