Skip to content

feat: supply-chain signing + SBOM (cosign keyless + CycloneDX)#198

Open
Kokila-chandrakar wants to merge 14 commits into
optiqor:mainfrom
Kokila-chandrakar:feat/supply-chain-signing-sbom
Open

feat: supply-chain signing + SBOM (cosign keyless + CycloneDX)#198
Kokila-chandrakar wants to merge 14 commits into
optiqor:mainfrom
Kokila-chandrakar:feat/supply-chain-signing-sbom

Conversation

@Kokila-chandrakar

@Kokila-chandrakar Kokila-chandrakar commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

What

Adds production-grade supply-chain hygiene so enterprise customers
can deploy kerno under SLSA / NIST SSDF requirements.

Changes

File What changed
.github/workflows/release.yml cosign install, image signing by digest, SBOM generation + attestation
.goreleaser.yml signs: and sboms: sections
SECURITY.md signing identity, verification commands, tampered artifact reporting

Verification (after merge + tag)

cosign verify ghcr.io/optiqor/kerno:v0.1.0 \
  --certificate-identity-regexp '^https://github\.com/optiqor/kerno/\.github/workflows/release\.yml@refs/tags/v' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com

Notes

@Kokila-chandrakar
feat: add cosign keyless signing and CycloneDX SBOM generation
b108e4d 
Add supply-chain hygiene for SLSA/NIST SSDF compliance:

- release.yml: id-token: write permission added for GitHub OIDC;
  install cosign + syft; sign versioned and latest container images
  by digest; generate and attest CycloneDX SBOM to image; upload
  SBOM as release asset

- .goreleaser.yml: signs: block to cosign sign-blob checksums.txt
  (covers all binaries/archives); sboms: block to generate per-arch
  CycloneDX JSON via Syft

- SECURITY.md: document signing identity (OIDC issuer + cert regexp),
  what is signed, verify commands for image/blob/attestation, and
  tampered artifact reporting process

No new secrets required — uses GitHub Actions keyless OIDC signing.
@github-actions

github-actions Bot commented Jun 7, 2026

Copy link
Copy Markdown

🚀 First PR — welcome aboard!

A few things to expect:

  1. CI: every PR runs build + race tests + lint + (eventually) the kernel matrix. If something fails, the log will tell you exactly which gate.
  2. DCO: every commit needs Signed-off-by:git commit -s adds it automatically.
  3. Conventional Commits: PR titles like feat(doctor): add new rule or fix(bpf): handle X. We squash-merge by default.
  4. Review: a maintainer will review within 72 hours. Suggestions are conversations, not orders — push back if something doesn't fit your context.

If you get stuck, reply here or jump to Discussions. We want this PR to land.

@github-actions github-actions Bot added level:critical Touches BPF, security, or release surfaces (auto-applied) documentation Improvements or additions to documentation testing Tests and test coverage area/release Release tooling and packaging area/security Security and supply chain labels Jun 7, 2026
@btwshivam

btwshivam commented Jun 7, 2026

Copy link
Copy Markdown
Member

@Kokila-chandrakar Ill review this.. but for now dont add anything in readme.. it already very lenghty .. create a seprate doc and You can just link it in readme

btwshivam
btwshivam previously requested changes Jun 7, 2026
View reviewed changes

@btwshivam btwshivam left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the keyless cosign + cyclonedx config is valid (goreleaser check passes, id-token: write is set), but the diff carries dupes and unrelated changes: a duplicated cosign step, a duplicated arm64 manifest, an unexplained goreleaser-action v7 to v6 downgrade, removed .goreleaser comments documenting the bpf invariants, and Hindi prose in the public SECURITY.md. clean those out.

Comment thread .github/workflows/release.yml Outdated
Comment thread .github/workflows/release.yml Outdated
Comment thread .goreleaser.yml
Comment thread SECURITY.md
@btwshivam

btwshivam commented Jun 7, 2026

Copy link
Copy Markdown
Member

/retest

@github-actions

github-actions Bot commented Jun 7, 2026

Copy link
Copy Markdown

Re-running 1 failed workflow run(s) on 6d6d761.

@Kokila-chandrakar

Kokila-chandrakar commented Jun 7, 2026

Copy link
Copy Markdown
Contributor Author

CI / Integration failure is a transient Docker Hub connectivity issue on the runner (registry-1.docker.io timeout), not related to this PR. All code checks (Lint, Test, Build) are passing.

@Kokila-chandrakar

Kokila-chandrakar commented Jun 12, 2026

Copy link
Copy Markdown
Contributor Author

Hi @btwshivam

This PR has been waiting for review for a few days now. All conflicts have been resolved and the changes are ready for maintainer review. I'd be grateful if you could take a look when available.

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@btwshivam btwshivam Awaiting requested review from btwshivam btwshivam is a code owner

Assignees

No one assigned

Labels

area/release Release tooling and packaging area/security Security and supply chain documentation Improvements or additions to documentation level:critical Touches BPF, security, or release surfaces (auto-applied) testing Tests and test coverage

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Supply chain: cosign image signing + CycloneDX SBOM in release pipeline

2 participants

@Kokila-chandrakar @btwshivam