ci: cosign keyless sigs, SBOM, provenance + fedora digest pin #7

Merged

s8n merged 3 commits from feat/sre-cosign-sbom-attestation into main

2026-05-06 13:47:28 +01:00

Author	SHA1	Message	Date
veilor-org	b74ef5005d	ci: TODO marker for SHA-pinning third-party actions Some checks failed Lint / Kickstart syntax (pull_request) Failing after 3s Details Lint / Shell scripts (pull_request) Failing after 38s Details Lint / No personal/onyx leaks (pull_request) Failing after 11m14s Details Note that all `uses:` directives still resolve to mutable major- version tags. SHA-pinning is the Agent 8 audit recommendation but requires per-action web lookups that stalled the previous SRE attempt; tracked separately so this PR can land first.	2026-05-06 10:41:19 +01:00
veilor-org	84275e2515	ci: pin fedora:43 base image to digest Pin registry.fedoraproject.org/fedora:43 to its current manifest digest so a malicious or accidental tag-rewrite upstream cannot silently change the base layer of every CI build. Digest was captured via `skopeo inspect --raw` on 2026-05-06. Refresh procedure documented inline.	2026-05-06 10:41:10 +01:00
veilor-org	0a1b81a9e0	ci: add cosign keyless sigs, SBOM, and provenance attestation Sign each ISO chunk with cosign keyless OIDC, generate an SPDX SBOM of the build output, and attach an in-toto build-provenance attestation. Sigs/certs/SBOM are uploaded alongside the ISO parts in the ci-latest rolling prerelease so the test/auto-install.sh path can verify before reassembling. Action versions are major-version tags (@v3, @v0, @v2). SHA-pinning is tracked separately to keep this PR small and avoid the long web lookups that stalled the previous attempt.	2026-05-06 10:40:56 +01:00

Author

SHA1

Message

Date

veilor-org

b74ef5005d

ci: TODO marker for SHA-pinning third-party actions

Lint / Kickstart syntax (pull_request) Failing after 3s

Details

Lint / Shell scripts (pull_request) Failing after 38s

Details

Lint / No personal/onyx leaks (pull_request) Failing after 11m14s

Details

Note that all `uses:` directives still resolve to mutable major-
version tags. SHA-pinning is the Agent 8 audit recommendation but
requires per-action web lookups that stalled the previous SRE
attempt; tracked separately so this PR can land first.

2026-05-06 10:41:19 +01:00

veilor-org

84275e2515

ci: pin fedora:43 base image to digest

Pin registry.fedoraproject.org/fedora:43 to its current manifest
digest so a malicious or accidental tag-rewrite upstream cannot
silently change the base layer of every CI build. Digest was
captured via `skopeo inspect --raw` on 2026-05-06. Refresh
procedure documented inline.

2026-05-06 10:41:10 +01:00

veilor-org

0a1b81a9e0

ci: add cosign keyless sigs, SBOM, and provenance attestation

Sign each ISO chunk with cosign keyless OIDC, generate an SPDX SBOM
of the build output, and attach an in-toto build-provenance
attestation. Sigs/certs/SBOM are uploaded alongside the ISO parts in
the ci-latest rolling prerelease so the test/auto-install.sh path
can verify before reassembling.

Action versions are major-version tags (@v3, @v0, @v2). SHA-pinning
is tracked separately to keep this PR small and avoid the long web
lookups that stalled the previous attempt.

2026-05-06 10:40:56 +01:00