-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ci(.github)[SEC-1084]: SLSA supply chain security controls #7479
Conversation
@jackkav / @filfreire An |
.github/workflows/release-build.yml
Outdated
build-and-upload-release-artifacts: | ||
timeout-minutes: 30 | ||
runs-on: ${{ matrix.os }} | ||
env: | ||
INSO_PACKAGE_NAME: insomnia-inso | ||
INSO_PACKAGE_WS_PATH: ./packages/insomnia-inso/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
WS_PATH isn't very clear what WS means, just _PATH would be clearer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also the amount of indirection here makes the scripts hard to read.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i have removed the INSO_PACKAGE_WS_PATH
and INSO_PACKAGE_ARIFACTS_PATH
variables and replaced with ./packages/<env.ISNO_PACKAGE_NAME>/<path>
Signatures for container image signing are published to:
@jackkav LMK if the alpha and beta tags are considered for external use and the signatures must be publicly verifiable? In this case, i can point to |
lets merge this when we have a spare hour or two to test an alpha and fix any issues. |
* ci(.github)[SEC-1084]: SLSA supply chain security controls * fix gh review comments
New
insomnia
andinso-cli
using tag:core@<tag>
alpha|beta
)alpha|beta
tagspackage-lock.json
release
branches