Skip to content

release: add reproducible supply-chain metadata for images and CLI binaries #105

Description

@RatulMaharaj

Problem

Published images and compiled CLI artifacts need a verifiable build and dependency story. Current workflows do not publish SBOMs or provenance attestations, action references are tag-based, the base image is tag-based, and example binary downloads do not verify checksums.

Scope

  • Pin GitHub Actions and base images by immutable digest.
  • Verify downloaded release binaries with published checksums.
  • Generate SBOMs for container and CLI artifacts.
  • Publish build provenance attestations for GHCR images and release binaries.
  • Add dependency update automation and vulnerability/container scanning.
  • Document how users verify artifacts.

Acceptance criteria

An operator can verify the origin and dependency inventory of every released image and CLI binary.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    Fields

    No fields configured for Task.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions