Open PrivatePuffin opened 11 months ago
@Ornias1993 Good suggestion, would you mind file a PR to address this issue? Appreciate.
@Ornias1993 Good suggestion, would you mind file a PR to address this issue? Appreciate.
Even if I wanted to I cannot, as I cannot make signing keys for you. But even so, I've enough work running TrueCharts at the moment to not have freetime to fix other helm-chart repositories for other people.
Describe the problem/challenge you have With supplychain attacks on the rise, it's imperative that everyone starts correctly signing their artifacts. Sadly enough, vmware-tanzu is still not signing their helm-charts. Which is, quite frankly, not acceptable for professional usecases
Describe the solution you'd like All helm charts should be signed and provide provenance.
Anything else you would like to add:
For more info see: https://helm.sh/docs/topics/provenance/
Example CI: https://github.com/truecharts/helm-staging/blob/main/.github/workflows/release.yaml
Environment:
Irrelevant