Release SBOM and SLSA attestation

The released Helm chart and container image should be signed and the relative security artifacts (pem, hashsum...) should be released together with the main artifacts.
Also a SBOM should be present.

Extra references:
- GitHub Action: [slsa-github-generator](https://github.com/slsa-framework/slsa-github-generator)
   - [A good example from the ArgoCD project](https://github.com/argoproj/argo-cd/blob/master/.github/workflows/release.yaml)
- Linux Foundation course: [lfel1007](https://trainingportal.linuxfoundation.org/learn/course/automating-supply-chain-security-sboms-and-signatures-lfel1007)
- [SLSA specs](https://slsa.dev/spec/v1.0/)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Release SBOM and SLSA attestation #23

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Uh oh!

Release SBOM and SLSA attestation #23

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions