Batuhan Apaydın
Batuhan Apaydın
helpful links: * https://github.com/marcofranssen/slsa-workflow-examples * https://marcofranssen.nl/secure-your-software-supply-chain-using-sigstore-and-github-actions
I'd like to propose the same UX that was being proposed by @wagoodman in his Syft integration to GoReleaser (https://github.com/goreleaser/goreleaser/issues/2597) ``` # .goreleaser.yml provenances: - # ID of the provenance...
I thought that GoReleaser could use these SLSA provenance generators that were out there, such as [slsa-framework/slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator/blob/675472104f54a100560e96e8090921390a77cadf/.github/workflows/builder_go_slsa3.yml#L84-L88), [philips-labs/slsa-provenance-action](https://github.com/philips-labs/slsa-provenance-action), but @asraa gave another idea, and she tell us that IIUC, we...
It seems that there are no reasons that we can't start working on this 🥳
IMHO, it must be enabled by default. Additional useful articles about the topic: * https://blog.sigstore.dev/kubernetes-signals-massive-adoption-of-sigstore-for-protecting-open-source-ecosystem-73a6757da73 * https://thenewstack.io/kubernetes-adopts-sigstore-for-supply-chain-security/
We're willing to work on it, just assign it to us @wagoodman 😋🤞
kindly ping 🙋🏻♂️
kindly ping 🙋🏻♂️
kindly ping @imjasonh 🙋🏻♂️