veilor-os

History

veilor-org 0a1b81a9e0 ci: add cosign keyless sigs, SBOM, and provenance attestation Sign each ISO chunk with cosign keyless OIDC, generate an SPDX SBOM of the build output, and attach an in-toto build-provenance attestation. Sigs/certs/SBOM are uploaded alongside the ISO parts in the ci-latest rolling prerelease so the test/auto-install.sh path can verify before reassembling. Action versions are major-version tags (@v3, @v0, @v2). SHA-pinning is tracked separately to keep this PR small and avoid the long web lookups that stalled the previous attempt.	2026-05-06 10:40:56 +01:00
..
build-iso.yml	ci: add cosign keyless sigs, SBOM, and provenance attestation	2026-05-06 10:40:56 +01:00
lint.yml	ci: scope brand-leak lint to source dirs only (#6 )	2026-05-02 04:07:03 +01:00

veilor-org 0a1b81a9e0 ci: add cosign keyless sigs, SBOM, and provenance attestation

Sign each ISO chunk with cosign keyless OIDC, generate an SPDX SBOM
of the build output, and attach an in-toto build-provenance
attestation. Sigs/certs/SBOM are uploaded alongside the ISO parts in
the ci-latest rolling prerelease so the test/auto-install.sh path
can verify before reassembling.

Action versions are major-version tags (@v3, @v0, @v2). SHA-pinning
is tracked separately to keep this PR small and avoid the long web
lookups that stalled the previous attempt.

2026-05-06 10:40:56 +01:00

build-iso.yml

ci: add cosign keyless sigs, SBOM, and provenance attestation

2026-05-06 10:40:56 +01:00

lint.yml

ci: scope brand-leak lint to source dirs only (#6 )

2026-05-02 04:07:03 +01:00