New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SLSA provenance to your releases #17873
Comments
Contributions are welcomed |
Any further consideration given to moving to goreleaser @serathius as mentioned in #13980 ? Adding provenance is a piece of cake with goreleaser. I'm not sure why your present |
Up to date release instructions are in https://github.com/etcd-io/etcd/blob/main/Documentation/contributor-guide/release.md |
Github announced this yesterday, so will need to compare it to the process originally linked to see if it makes it more straightforward to implement. |
Hello @serathius @udf2457 👋 |
Hi @ArkaSaha30 I am currently focused on some high-priority $work projects, so your offer of assistance is much appreciated @ArkaSaha30 😉 Hopefully when things quiet down a little at $work I will be able to return to this ! |
Before jumping into coding, please start from reading the etcd release documentation to understand our current process and please propose what changes need to be made to provide SLSA provenance. |
What would you like to be added?
Please add SLSA provenance to your releases.
It is easy to do on on Github:
https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-goreleaser
https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator
Background info:
https://docs.sigstore.dev/signing/overview/
Why is this needed?
Improving robustness against supply-chain attacks.
The text was updated successfully, but these errors were encountered: