You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe:
At its current state, the project exhibits suboptimal supply chain management in the CI pipeline.
The generated OCI images for chaos-mesh are neither signed nor attested.
Describe the feature you'd like:
The proposed solution suggests minimal adherence to industry best practices, by signing and attesting the images (cosign) using their SBOM as a predicate.
Teachability, Documentation, Adoption, Migration Strategy:
Main benefits of the proposed solution are:
Certify both image and SBOM provenance.
Have the SBOM available in the same registry as the image, enabling effortless downloading for all users.
Feature Request
Is your feature request related to a problem? Please describe:
At its current state, the project exhibits suboptimal supply chain management in the CI pipeline.
The generated OCI images for chaos-mesh are neither signed nor attested.
Describe the feature you'd like:
The proposed solution suggests minimal adherence to industry best practices, by signing and attesting the images (cosign) using their SBOM as a predicate.
Teachability, Documentation, Adoption, Migration Strategy:
Main benefits of the proposed solution are:
For an implementation reference on GitHub Actions, please refer to this.
The text was updated successfully, but these errors were encountered: