ci: generate attestations during a release #2785
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Justin Marquis <[email protected]>
Signed-off-by: Justin Marquis <[email protected]>
Signed-off-by: Justin Marquis <[email protected]>
Signed-off-by: Justin Marquis <[email protected]>
Codecov ReportPatch and project coverage have no change.
Additional details and impacted files@@ Coverage Diff @@
## master #2785 +/- ##
=======================================
Coverage 81.67% 81.67%
=======================================
Files 133 133
Lines 20193 20193
=======================================
Hits 16493 16493
Misses 2847 2847
Partials 853 853 ☔ View full report in Codecov by Sentry. |
…tation Signed-off-by: zachaller <[email protected]>
zachaller
approved these changes
Jun 14, 2023
…tation Signed-off-by: zachaller <[email protected]>
|
Kudos, SonarCloud Quality Gate passed!
|
zachaller
added a commit
that referenced
this pull request
Jul 12, 2023
* ci: use keyless signing for main and release branches Signed-off-by: Justin Marquis <[email protected]> * fix typo Signed-off-by: Justin Marquis <[email protected]> * ci: generate attestations during a release Signed-off-by: Justin Marquis <[email protected]> * add release trigger script Signed-off-by: Justin Marquis <[email protected]> --------- Signed-off-by: Justin Marquis <[email protected]> Signed-off-by: zachaller <[email protected]> Co-authored-by: zachaller <[email protected]> Signed-off-by: zachaller <[email protected]>
zachaller
added a commit
that referenced
this pull request
Jul 12, 2023
* ci: use keyless signing for main and release branches Signed-off-by: Justin Marquis <[email protected]> * fix typo Signed-off-by: Justin Marquis <[email protected]> * ci: generate attestations during a release Signed-off-by: Justin Marquis <[email protected]> * add release trigger script Signed-off-by: Justin Marquis <[email protected]> --------- Signed-off-by: Justin Marquis <[email protected]> Signed-off-by: zachaller <[email protected]> Co-authored-by: zachaller <[email protected]> Signed-off-by: zachaller <[email protected]>
zachaller
added a commit
that referenced
this pull request
Jul 12, 2023
* ci: use keyless signing for main and release branches Signed-off-by: Justin Marquis <[email protected]> * fix typo Signed-off-by: Justin Marquis <[email protected]> * ci: generate attestations during a release Signed-off-by: Justin Marquis <[email protected]> * add release trigger script Signed-off-by: Justin Marquis <[email protected]> --------- Signed-off-by: Justin Marquis <[email protected]> Signed-off-by: zachaller <[email protected]> Co-authored-by: zachaller <[email protected]> Signed-off-by: zachaller <[email protected]>
zachaller
added
the
cherry-pick-completed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
closes #2353
Can supersede #2783
This PR generates attestations during a release using a new release process. Each attestation contains a SLSA Level 3 provenance which is then cryptographically signed. A SLSA provenance is generated for Argo Rollouts container images and CLI binaries that are published during a release. These provenances are non-falsifable and generated using slsa-github-generator. The release workflow needed to be refactored in order to provide a isolated environment for each step of the build process. This ensures a build will not influence another build, while also denying access to the required permissions to sign a artifact or generate a provenance.
Notable Changes
Low Impact Breaking Changes
Testing
All new and modified files have been fully tested in a public repo. Access to the repo can be requested for testing or trying out the new process.