Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Start signing all of our releases (all projects, full and nightly) #884

Open
Tracked by #912
ghost opened this issue Sep 2, 2021 · 6 comments
Open
Tracked by #912

Start signing all of our releases (all projects, full and nightly) #884

ghost opened this issue Sep 2, 2021 · 6 comments
Labels
area/roadmap Issues that are part of the project (or organization) roadmap (usually an epic) area/s3c Issues or PRs that are related to Secure Software Supply Chain (S3C) kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.

Comments

@ghost
Copy link

ghost commented Sep 2, 2021

Feature request

Tekton Chains is running in our dogfooding cluster and currently signing pipelines releases. We should add signing for our other releases as well. Since they share the same or very similar publish tasks we should be able to replicate the needed changes across them all.

Here's the IMAGES field we added for pipelines, which is then picked up by chains to perform the signing: https://github.com/tektoncd/pipeline/blob/main/tekton/publish.yaml#L57-L60
@ghost ghost added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 2, 2021
@bobcatfish bobcatfish added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Oct 13, 2021
@afrittoli afrittoli mentioned this issue Oct 22, 2021
Open
18 tasks
@tekton-robot
Copy link
Contributor

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale with a justification.
Stale issues rot after an additional 30d of inactivity and eventually close.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle stale

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 11, 2022
@AlanGreene
Copy link
Member

This is done for Dashboard since tektoncd/dashboard#1969 (Nov 11th for nightly, v0.22 for releases)

@tekton-robot
Copy link
Contributor

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten with a justification.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close with a justification.
If this issue should be exempted, mark the issue as frozen with /lifecycle frozen with a justification.

/lifecycle rotten

Send feedback to tektoncd/plumbing.

@tekton-robot tekton-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 12, 2022
@bobcatfish
Copy link
Contributor

Signing our releases - and more generally meeting slsa.dev requirements for components published by Tekton - is something we've discussed having in the context of the new s3c working group (tektoncd/community#633) so I think it's fair to consider this something we still want to do.

/lifecycle frozen

@tekton-robot tekton-robot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. labels Feb 16, 2022
@afrittoli afrittoli added the area/s3c Issues or PRs that are related to Secure Software Supply Chain (S3C) label Feb 16, 2022
@xchapter7x
Copy link

@afrittoli suggests we make a list of the things we sign and do not yet sign.
perhaps a table in this issue, would be a great help.

@vdemeester
Copy link
Member

/area roadmap

@tekton-robot tekton-robot added the area/roadmap Issues that are part of the project (or organization) roadmap (usually an epic) label Feb 15, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/roadmap Issues that are part of the project (or organization) roadmap (usually an epic) area/s3c Issues or PRs that are related to Secure Software Supply Chain (S3C) kind/feature Categorizes issue or PR as related to a new feature. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
Pipeline CI Dogfooding
Status: Todo
S3C Milestones
Status: NEW
Tekton Community Roadmap
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
6 participants
@vdemeester @bobcatfish @xchapter7x @afrittoli @AlanGreene @tekton-robot