Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use Salsa framework during release to increase the supply-chain security #966

Merged
merged 3 commits into from
Oct 17, 2022
Merged

Use Salsa framework during release to increase the supply-chain security #966

merged 3 commits into from
Oct 17, 2022

Conversation

jkremser
Copy link
Member

This is how it looks like on my other repo - https://github.com/jkremser/log2rbac-operator/actions/runs/3234735006#summary-8846153907

it relies on 3 new repo secrets: COSIGN_PRIVATE_KEY, COSIGN_PUBLIC_KEY and COSIGN_PASSWORD
COSIGN_PASSWORD is a passphrase for the private key. The private key is used for signing the artifacts (container images, provenance files, sboms, checksums). The public key is also part of the repo and is used for verifying the signatures.

During the release we push the signatures of container images into container registries so that one can verify the validity of the image. Also some artifacts are published together with the release, check the Assets section on log2rbac release page.

inspired / kudos to https://github.com/philips-labs/slsa-provenance-action/blob/main/.github/workflows/ci.yaml

Signed-off-by: Jirka Kremser jiri.kremser@gmail.com

kuritka
kuritka previously approved these changes Oct 15, 2022
View reviewed changes
Copy link
Collaborator

@kuritka kuritka left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lgtm

somaritane
somaritane suggested changes Oct 15, 2022
View reviewed changes
Copy link
Contributor

@somaritane somaritane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jkremser looks awesome!
I suggest reflecting these changes in the dev documentation, also wrt the case when cosign key pair should be regenerated.

cosign.pub Show resolved Hide resolved
ytsarev
ytsarev previously approved these changes Oct 17, 2022
View reviewed changes
Copy link
Member

@ytsarev ytsarev left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jkremser it looks really really good. Is it possible to have brief contextual documentation for the implementation? Fine to have it as a separate PR.

@jkremser
Copy link
Member Author

@ytsarev I will amend some docs, I have some conflicts to resolve with my other PR anyway :D so the reviews will be invalidated + this PR uses the old way of sharing the data between steps (echo "::set-output name=container_info )

@jkremser
Use Salsa framework during release to increase the supply-chain security
25a27eb 
Signed-off-by: Jirka Kremser <jiri.kremser@gmail.com>
@jkremser
goreleaser: skip signing and sbom generation when not doing release
c3159c1 
Signed-off-by: Jirka Kremser <jiri.kremser@gmail.com>
@jkremser jkremser dismissed stale reviews from ytsarev and kuritka via 2c83f04 October 17, 2022 15:05
@netlify
Copy link

netlify bot commented Oct 17, 2022
edited
Loading

Deploy Preview for k8gb-preview ready!

Name Link
🔨 Latest commit 0faf42f
🔍 Latest deploy log https://app.netlify.com/sites/k8gb-preview/deploys/634d704556de480009eefb09
😎 Deploy Preview https://deploy-preview-966--k8gb-preview.netlify.app/contributing
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@jkremser jkremser requested a review from ytsarev October 17, 2022 15:06
@jkremser
docs: SLSA
0faf42f 
Signed-off-by: Jirka Kremser <jiri.kremser@gmail.com>
@jkremser
Copy link
Member Author

@somaritane I've added the docs, can you "ptal" again?

somaritane
somaritane approved these changes Oct 17, 2022
View reviewed changes
Copy link
Contributor

@somaritane somaritane left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jkremser lgtm now, thank you!

@jkremser jkremser merged commit 1ad61dd into k8gb-io:master Oct 17, 2022
@jkremser jkremser deleted the slsa branch October 17, 2022 18:43
@ytsarev ytsarev mentioned this pull request Oct 18, 2022
Closed
31 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kuritka kuritka kuritka approved these changes

@ytsarev ytsarev ytsarev approved these changes

@somaritane somaritane somaritane approved these changes

@donovanmuller donovanmuller Awaiting requested review from donovanmuller

@k0da k0da Awaiting requested review from k0da

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jkremser @somaritane @ytsarev @kuritka