veilor-org/veilor-os
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions 1

ci: cosign keyless sigs, SBOM, provenance + fedora digest pin #7

Merged
s8n merged 3 commits from feat/sre-cosign-sbom-attestation into main 2026-05-06 13:47:28 +01:00
Conversation 0 Commits 3 Files changed 1 +39 -2
s8n commented 2026-05-06 10:41:48 +01:00
Owner
Copy link

Summary

  • Sign each ISO chunk with cosign keyless OIDC; attach .sig + .pem to ci-latest
  • Generate SPDX SBOM via anchore/sbom-action and ship it alongside the parts
  • Attach in-toto build-provenance via actions/attest-build-provenance
  • Pin registry.fedoraproject.org/fedora:43 to digest captured via skopeo on 2026-05-06
  • TODO marker for SHA-pinning third-party actions (tracked separately to keep this PR small)

Test plan

  • PR triggers a build run
  • cosign step produces .sig + .pem next to each .part-*
  • SBOM file veilor-os.spdx.json lands in build/out
  • Provenance attestation visible on the workflow run
  • ci-latest release picks up the new files in its assets list

A3 SRE retry — keeps action versions on major-tag pins to avoid the web-lookup stall that took out the previous attempt.

## Summary - Sign each ISO chunk with cosign keyless OIDC; attach `.sig` + `.pem` to ci-latest - Generate SPDX SBOM via anchore/sbom-action and ship it alongside the parts - Attach in-toto build-provenance via actions/attest-build-provenance - Pin `registry.fedoraproject.org/fedora:43` to digest captured via skopeo on 2026-05-06 - TODO marker for SHA-pinning third-party actions (tracked separately to keep this PR small) ## Test plan - [ ] PR triggers a build run - [ ] cosign step produces .sig + .pem next to each .part-* - [ ] SBOM file `veilor-os.spdx.json` lands in build/out - [ ] Provenance attestation visible on the workflow run - [ ] ci-latest release picks up the new files in its assets list _A3 SRE retry — keeps action versions on major-tag pins to avoid the web-lookup stall that took out the previous attempt._
s8n added 3 commits 2026-05-06 10:41:48 +01:00 
Sign each ISO chunk with cosign keyless OIDC, generate an SPDX SBOM
of the build output, and attach an in-toto build-provenance
attestation. Sigs/certs/SBOM are uploaded alongside the ISO parts in
the ci-latest rolling prerelease so the test/auto-install.sh path
can verify before reassembling.

Action versions are major-version tags (@v3, @v0, @v2). SHA-pinning
is tracked separately to keep this PR small and avoid the long web
lookups that stalled the previous attempt.
Pin registry.fedoraproject.org/fedora:43 to its current manifest
digest so a malicious or accidental tag-rewrite upstream cannot
silently change the base layer of every CI build. Digest was
captured via `skopeo inspect --raw` on 2026-05-06. Refresh
procedure documented inline.
ci: TODO marker for SHA-pinning third-party actions
Some checks failed
Lint / Kickstart syntax (pull_request) Failing after 3s
Details
Lint / Shell scripts (pull_request) Failing after 38s
Details
Lint / No personal/onyx leaks (pull_request) Failing after 11m14s
Details
b74ef5005d 
Note that all `uses:` directives still resolve to mutable major-
version tags. SHA-pinning is the Agent 8 audit recommendation but
requires per-action web lookups that stalled the previous SRE
attempt; tracked separately so this PR can land first.
s8n merged commit 3d35196a2d into main 2026-05-06 13:47:28 +01:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: veilor-org/veilor-os#7
No description provided.
Delete branch "feat/sre-cosign-sbom-attestation"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?