-
Notifications
You must be signed in to change notification settings - Fork 108
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Proposal - Signatures for Carvel Artifacts #668
Conversation
Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com>
✅ Deploy Preview for carvel canceled.
|
Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com>
Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you so much for putting this together 🙏🏼
Just added a few thoughts and called out some "nice to haves"!
Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com>
Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com>
Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com>
@100mik thanks for your review. I have added examples in GitHub Actions of how to verify the signatures for both OCI and binary artifacts (including links to a couple of demos I made). I have also refined the suggestion for the binary artifacts part and included examples of how to integrate Cosign with GoReleaser, since that's the tool used by all Carvel projects. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The proposal looks good.
The only question I would like to see answered before a thumbs up is, what are the plans for our GitHub action? Should it also verify that the binaries are signed? If so, we need to ensure we are backward compatible since we have older versions without signatures.
@joaopapereira thanks for the review. Do you mean this Action? https://github.com/carvel-dev/setup-action I can see we are currently verifying the checksums against the |
That sounds great to me. I will review it again when you add this part. Thanks for the great work. |
Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com>
@joaopapereira I have added a section to describe the changes suggested for the Carvel GitHub Action. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good! 🚀
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! Thank you so much for the great work !!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are at the point where we can consider this Lazyly approved. @ThomasVitale please update the status and we will be able to merge it.
--- | ||
title: "Signatures for Carvel Artifacts" | ||
authors: [ "Thomas Vitale <ThomasVitale@users.noreply.github.com>" ] | ||
status: "in review" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
status: "in review" | |
status: "accepted" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joaopapereira Thanks, I updated the status
Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com>
Green lights all the way! |
We should probably work towards having a flow that does not require commits to change statuses in the future 🤔 |
* Proposal - Signatures for Carvel Artifacts Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com> * Update proposal metadata Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com> * Improve formatting Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com> * Update proposal status Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com> * Improve proposal after review Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com> * Refined proposal for binaries + examples Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com> * Fix typo Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com> * Introduce changes to Carvel GH Action Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com> * Update proposal status to 'accepted' Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com> --------- Signed-off-by: Thomas Vitale <ThomasVitale@users.noreply.github.com> Signed-off-by: ashpect <ashishndiitr@gmail.com>
Proposal for introducing signatures for all Carvel artifacts as previously suggested in #619.