Skip to content

ci(supply-chain): add Rekor identity + consistency monitor#1480

Merged
mchmarny merged 3 commits into
mainfrom
feat/rekor-monitor
Jun 26, 2026
Merged

ci(supply-chain): add Rekor identity + consistency monitor#1480
mchmarny merged 3 commits into
mainfrom
feat/rekor-monitor

Conversation

@lockwobr

Copy link
Copy Markdown
Contributor

Summary

Add an hourly scheduled workflow that monitors the public-good Rekor transparency log for AICR's release supply chain: log consistency (append-only) and AICR's release signing identity.

Motivation / Context

AICR signs its releases and logs them to Rekor, but nothing watched the log itself. This adds detection for two risks: an entry appearing under AICR's release identity that a release did not produce (OIDC/key compromise), and the log no longer being append-only. It protects the trust root every AICR consumer depends on (release binaries, signed recipe catalog, container images all chain to that one identity).

Fixes: #1460
Related: #1149

Type of Change

  • New feature (non-breaking change that adds functionality)
  • Documentation update
  • Build/CI/tooling

Component(s) Affected

  • Docs/examples (docs/, examples/)
  • Other: CI workflows (.github/workflows)

Implementation Notes

  • Calls the upstream sigstore/rekor-monitor reusable workflow (reusable_monitoring.yml). A single run does both required behaviors: RunConsistencyCheck advances/verifies the append-only checkpoint, and IdentitySearch scans entries added since the last checkpoint for the configured identity. Identity monitoring is incremental by design (new entries since last checkpoint), which is why the checkpoint artifact is retained.
  • Monitored identity is AICR's release signer (per .goreleaser.yaml and .github/workflows/on-tag.yaml): certSubject regex for on-tag.yaml@refs/tags/*, issuers pinned to token.actions.githubusercontent.com.
  • Pinned to a main commit SHA (170374c…); upstream has no tags/releases. Matches the repo convention of SHA-pinning actions with a version/date comment.
  • Least-privilege: top-level permissions: {}; the job grants only contents: read, issues: write, id-token: write (exactly what the reusable workflow requires). A concurrency group with cancel-in-progress: false serializes runs without killing an in-flight checkpoint write.
  • url is intentionally unset so the monitor uses the public-good default and discovers current log shards (including Rekor v2) via TUF, rather than hardcoding an endpoint that could drift.
  • artifact_retention_days: 30 comfortably exceeds the hourly cron so the consistency checkpoint never expires between runs.
  • Triage runbook lives in the workflow header to avoid doc drift; docs/contributor/maintaining.md adds a short pointer.

Testing

actionlint .github/workflows/rekor-monitor.yaml   # OK
yamllint -c .yamllint.yaml .github/workflows/rekor-monitor.yaml   # OK

No Go source changed, so make test / coverage gates do not apply. A scheduled workflow cannot run from a branch; after merge, workflow_dispatch can trigger a manual run on main to confirm it executes and files an issue correctly.

Risk Assessment

  • Low — Additive, isolated CI workflow plus a docs pointer; trivially revertible by deleting the workflow file.

Rollout notes: No migration. First scheduled run establishes the baseline consistency checkpoint and begins scanning forward; it does not retroactively sweep historical entries.

Checklist

  • Linter passes (actionlint + yamllint)
  • I did not skip/disable tests to make CI green
  • I updated docs (maintainer runbook pointer)
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S)

No Go code changed, so unit tests / new tests are not applicable.

Add an hourly scheduled workflow that calls the upstream
sigstore/rekor-monitor reusable workflow to monitor the public-good
Rekor transparency log for AICR's release supply chain: verifying the
log stays append-only (consistency) and watching for entries under
AICR's release signing identity that a release did not produce
(identity). Files an issue on failure.

Pinned to a main commit SHA (upstream has no tags/releases),
least-privilege permissions, and leaves the Rekor URL unset so it
tracks the public-good log (incl. Rekor v2) via TUF discovery.

Fixes #1460
@lockwobr lockwobr requested review from a team as code owners June 26, 2026 00:25
@lockwobr lockwobr added the theme/supply-chain SLSA, SBOM, Sigstore, and provenance verification label Jun 26, 2026
@lockwobr lockwobr self-assigned this Jun 26, 2026
@lockwobr lockwobr enabled auto-merge (squash) June 26, 2026 00:26
@github-actions

Copy link
Copy Markdown
Contributor

@coderabbitai

coderabbitai Bot commented Jun 26, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 204bb2bc-bfca-443c-9f65-52a5340445a6

📥 Commits

Reviewing files that changed from the base of the PR and between 6fc3444 and ec98ebf.

📒 Files selected for processing (2)
  • .github/workflows/rekor-monitor.yaml
  • docs/contributor/maintaining.md

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow that runs hourly and on manual dispatch, invokes the pinned sigstore/rekor-monitor reusable workflow, sets job permissions, retention, and identity/issuer filters, and enables issue filing on failure. It also adds a contributor runbook section describing the monitor and its failure handling.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely summarizes the main change: adding a Rekor identity and consistency monitor.
Description check ✅ Passed The description is directly aligned with the workflow and docs changes and explains the motivation and implementation.
Linked Issues check ✅ Passed The workflow satisfies the core requirements from #1460: hourly Rekor monitoring, identity and consistency checks, issue filing, artifact retention, and zero Go changes.
Out of Scope Changes check ✅ Passed The added docs and workflow updates stay within the supply-chain monitoring scope.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/rekor-monitor

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown
Contributor

Coverage Report ✅

Metric Value
Coverage 77.3%
Threshold 75%
Status Pass
Coverage Badge
![Coverage](https://img.shields.io/badge/coverage-77.3%25-green)

No Go source files changed in this PR.

@mchmarny mchmarny disabled auto-merge June 26, 2026 13:03
@mchmarny mchmarny enabled auto-merge (squash) June 26, 2026 14:41
@mchmarny mchmarny merged commit eac5eee into main Jun 26, 2026
33 checks passed
@mchmarny mchmarny deleted the feat/rekor-monitor branch June 26, 2026 14:50
atif1996 added a commit that referenced this pull request Jun 29, 2026
- Restore .github/workflows/rekor-monitor.yaml lost during squash (was
  added in #1480, absent from stale branch base)
- Remove verifyClusterPolicyReady call and function reverted by squash
  (#1495 had removed it; stale branch base brought it back)
- Update apiVersion aicr.nvidia.com/v1alpha1 → aicr.run/v1alpha2 in
  l40s-any, l40s-oke-training, l40s-oke-inference overlays (post-#1499
  domain migration)
- Add `ol` to OS enum description in pkg/client/v1/types.go and
  pkg/fingerprint/doc.go

Signed-off-by: Atif Mahmood <[email protected]>
Signed-off-by: Atif Mahmood <[email protected]>
atif1996 added a commit that referenced this pull request Jun 29, 2026
- Restore .github/workflows/rekor-monitor.yaml lost during squash (was
  added in #1480, absent from stale branch base)
- Remove verifyClusterPolicyReady call and function reverted by squash
  (#1495 had removed it; stale branch base brought it back)
- Update apiVersion aicr.nvidia.com/v1alpha1 → aicr.run/v1alpha2 in
  l40s-any, l40s-oke-training, l40s-oke-inference overlays (post-#1499
  domain migration)
- Add `ol` to OS enum description in pkg/client/v1/types.go and
  pkg/fingerprint/doc.go

Signed-off-by: Atif Mahmood <[email protected]>
Signed-off-by: Atif Mahmood <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/ci area/docs size/M theme/supply-chain SLSA, SBOM, Sigstore, and provenance verification

Projects

None yet

Development

Successfully merging this pull request may close these issues.

ci(supply-chain): adopt sigstore/rekor-monitor for release identity + consistency

2 participants