25b8d30f35
Sign each ISO chunk with cosign keyless OIDC, generate an SPDX SBOM of the build output, and attach an in-toto build-provenance attestation. Sigs/certs/SBOM are uploaded alongside the ISO parts in the ci-latest rolling prerelease so the test/auto-install.sh path can verify before reassembling. Action versions are major-version tags (@v3, @v0, @v2). SHA-pinning is tracked separately to keep this PR small and avoid the long web lookups that stalled the previous attempt. |
||
|---|---|---|
| .. | ||
| workflows | ||
| CODEOWNERS | ||
| PULL_REQUEST_TEMPLATE.md | ||