Skip to content

docs: correct supply-chain, evidence & provenance documentation#1547

Merged
mchmarny merged 1 commit into
NVIDIA:mainfrom
yuanchen8911:docs/post-1528-doc-correctness
Jun 30, 2026
Merged

docs: correct supply-chain, evidence & provenance documentation#1547
mchmarny merged 1 commit into
NVIDIA:mainfrom
yuanchen8911:docs/post-1528-doc-correctness

Conversation

@yuanchen8911

@yuanchen8911 yuanchen8911 commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Summary

A documentation-correctness sweep of AICR's supply-chain, evidence, provenance, and bundle docs (plus the demo guides, scripts, and slide decks), following the #1528 audit. Every change was verified against the implementation. ~34 files; doc/comment-only (the single Go change is a comment in pkg/server/doc.go).

Supply-chain & provenance verification

  • gh attestation verify pinned to --repo NVIDIA/aicr --signer-workflow …/on-tag.yaml (+ --source-ref refs/tags/${TAG}) instead of --owner alone; all cosign --certificate-identity-regexp values anchored/escaped (incl. RELEASING.md).
  • gh attestation verify no longer shown emitting the SBOM (provenance only); image SBOM (signed OCI attestation) vs binary SBOM (separate, unsigned release asset) disambiguated.
  • Categorical "SLSA Build Level 3" claims qualified to "build provenance v1; level under review (Reconcile SLSA Build Level claim (docs say L3; build architecture looks like L2) #1536)" across SECURITY.md, README.md, docs/README.md, installation.md, CONTRIBUTING.md, RELEASING.md, and the provenance deck.
  • SECURITY.md supported-version table bumped to 0.16.x (v0.16.0 is GA).
  • SECURITY.md pinning policy aligned to ADR-006 (gate = bom-pinning-check -strict; exemption map belongs to image-digest pinning; admission verification is roadmap; CycloneDX BOM generated locally).

Recipe evidence & maintainer docs

  • Reframed evidence as a signer-bound, tamper-evident record that binds an identity to a recorded aicr validate result — not proof the signer ran it or that a cluster physically existed (README, evidence.md, evidence-publishing.md, slides).
  • Evidence pointer-contract gate trusts pointer-supplied signer (no crypto verification) #1535 lifecycle corrected: the merge gate is structural (claimed signer); cryptographic verification happens post-merge at ingest (artifact guide, ADR-007, maintainer guide).
  • Split validate/sign: only the unsigned subject/predicate (and thus the OCI digest) are reproducible across signing hosts — the signature, certificate, and Rekor entry vary per run.
  • Privacy: "slug-only" scoped to the allowlist; committed pointers + Rekor publish signer.identity, so sign with a non-personal identity. Pointer paths use the nested <recipe>/<src>/<digest>.yaml layout with a valid full digest.

Bundle attestation & trust levels

Other

Motivation / Context

Follow-up to #1528. Surfaced and hardened across multiple review passes.

Issue status

Type of Change

  • Documentation update

Component(s) Affected

  • Docs/examples (docs/, demos/, README.md, SECURITY.md, CONTRIBUTING.md, RELEASING.md)
  • API server (comment-only: pkg/server/doc.go)

Testing

make check-docs-mdx        # OK
make check-docs-filenames  # OK
bash -n <edited demo scripts>          # OK
git diff --check                       # clean
golangci-lint run -c .golangci.yaml ./pkg/server/...   # 0 issues (doc.go comment-only)

Full local make qualify is substituted by CI, which runs the identical gate (test-coverage, lint, e2e, scan, license-check) — all green on this head: tests / Test, tests / Lint, tests / E2E, tests / CLI E2E, tests / Security Scan, analyze. This is accepted as the make qualify equivalent for a doc/comment-only change (the only Go edit is a comment; golangci-lint ./pkg/server/... = 0 issues).

The Policy Controller admission example was additionally validated end-to-end on the aicr-demo5 GKE cluster (positive admit + wrong-identity reject).

Risk Assessment

  • Low — documentation/comment corrections, no behavior change.

Checklist

  • Linter passes on the touched Go package
  • I did not skip/disable tests to make CI green
  • I updated docs if user-facing behavior changed
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S)

@yuanchen8911 yuanchen8911 requested a review from a team as a code owner June 29, 2026 21:44
@yuanchen8911 yuanchen8911 added area/docs theme/community Contributor onboarding, docs, and external engagement labels Jun 29, 2026
@github-actions

Copy link
Copy Markdown
Contributor

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

The PR updates attestation-verification examples and provenance docs to use explicit repository and signer-workflow inputs instead of --owner. It also revises related provenance policy text, bundle and recipe documentation, contributor guidance, and several smaller docs for terminology, links, examples, and default values.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related issues

Possibly related PRs

  • NVIDIA/aicr#1334: Related supply-chain verification guide changes around attestation and Cosign identity matching.
  • NVIDIA/aicr#1544: Related updates to docs/design/007-recipe-evidence.md around verifier contract and signer-identity handling.

Suggested labels

theme/supply-chain

Suggested reviewers

  • mchmarny
  • lockwobr
🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title is concise and accurately reflects the docs-focused supply-chain, evidence, and provenance changes.
Description check ✅ Passed The description clearly matches the documented provenance, bundle, docs, and comment-only changes in the patch.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/design/007-recipe-evidence.md`:
- Around line 19-27: Update the wording in the design doc around the verifier
behavior to qualify the “pending signature” claim: in the section describing the
shipped verifier, make it clear that `pending signature` from the verifier is
only returned after predicate/schema parse and manifest-inventory hash binding
succeed. Use the existing terms in the paragraph (“shipped verifier”, “pending
signature”, “verify”, “unsigned bundle”) and adjust the sentence so unsigned
bundles that fail other validation are described as those failures, not as
`pending signature`.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: d19af244-a54f-43ed-92a3-1a3c4a907ecd

📥 Commits

Reviewing files that changed from the base of the PR and between 3eb13ff and 2097bf2.

📒 Files selected for processing (11)
  • SECURITY.md
  • demos/provenance-demo-slides.html
  • demos/provenance-demo.sh
  • demos/provenance.md
  • docs/contributor/maintaining.md
  • docs/design/007-recipe-evidence.md
  • docs/design/014-ocp-helm.md
  • docs/integrator/automation.md
  • docs/integrator/supply-chain-verification.md
  • docs/user/artifact-verification.md
  • pkg/server/doc.go

Comment thread demos/provenance-demo.sh Outdated
Comment thread docs/design/007-recipe-evidence.md
@yuanchen8911 yuanchen8911 force-pushed the docs/post-1528-doc-correctness branch from 2097bf2 to 548cfe0 Compare June 29, 2026 22:00
@github-actions github-actions Bot added size/L and removed size/M labels Jun 29, 2026
@yuanchen8911 yuanchen8911 changed the title docs: fix supply-chain verify pinning, evidence semantics, drift docs: post-#1528 correctness + fold #1533 tail and #1537 examples Jun 29, 2026
@yuanchen8911 yuanchen8911 marked this pull request as draft June 29, 2026 22:05

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/contributor/api-server.md`:
- Around line 73-75: The API server docs currently imply that the `/` root route
is registered through WithHandler, but the actual registration happens in
configureRootHandler and then it is wrapped through the normal middleware flow.
Reword the root-route description in the contributor docs to distinguish custom
handlers added by WithHandler from the built-in `/` route inserted by
configureRootHandler, while keeping the note that system endpoints like /health,
/ready, and /metrics bypass the chain.

In `@docs/integrator/data-flow.md`:
- Around line 202-212: The matching-criteria description conflicts with the
later RecipeResult field list because it includes platform and node-count as
criteria while the diagram box still only shows service, accelerator, intent,
and os. Update the data-flow section so both places agree: either add platform
and node-count to the RecipeResult list or remove them from the criteria
sentence, and keep the terminology consistent across the surrounding
matching/constraint explanation.

In `@docs/integrator/kubernetes-deployment.md`:
- Around line 515-517: The port-forward example in the Kubernetes deployment
docs can race because curl runs before kubectl port-forward is ready. Update the
snippet around kubectl port-forward and the curl example to wait briefly or
retry until the local 8080 endpoint is available before issuing curl, so the
copy-paste flow is reliable on slower machines.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 134fe4b7-12aa-4d9f-9222-955268ca33ba

📥 Commits

Reviewing files that changed from the base of the PR and between 2097bf2 and 548cfe0.

📒 Files selected for processing (19)
  • SECURITY.md
  • demos/bundle-attestation.md
  • demos/cuj2-demo.md
  • demos/end-to-end-cli.md
  • demos/provenance-demo-slides.html
  • demos/provenance-demo.sh
  • demos/provenance.md
  • docs/contributor/api-server.md
  • docs/contributor/maintaining.md
  • docs/contributor/tests.md
  • docs/design/007-recipe-evidence.md
  • docs/design/014-ocp-helm.md
  • docs/integrator/automation.md
  • docs/integrator/data-flow.md
  • docs/integrator/kubernetes-deployment.md
  • docs/integrator/supply-chain-verification.md
  • docs/user/api-reference.md
  • docs/user/artifact-verification.md
  • pkg/server/doc.go
💤 Files with no reviewable changes (1)
  • demos/cuj2-demo.md

Comment thread docs/contributor/api-server.md Outdated
Comment thread docs/integrator/data-flow.md Outdated
Comment thread docs/integrator/kubernetes-deployment.md Outdated
@yuanchen8911 yuanchen8911 force-pushed the docs/post-1528-doc-correctness branch from 548cfe0 to 35818fd Compare June 29, 2026 22:14

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
docs/contributor/api-server.md (1)

73-75: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Keep the root-route attribution precise.

WithHandler only wires custom handlers; the built-in / route is injected by configureRootHandler and then wrapped like the other handlers. Please reword this so the docs distinguish those paths.

♻️ Proposed fix
-System endpoints — `/health`, `/ready`, `/metrics` — bypass the chain entirely. The `/` root route is registered via `WithHandler` and runs the full middleware chain like other application routes.
+System endpoints — `/health`, `/ready`, `/metrics` — bypass the chain entirely. The built-in `/` route is injected by `configureRootHandler` and runs the full middleware chain like other application routes.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/contributor/api-server.md` around lines 73 - 75, The root-route
description is attributing `/` to WithHandler, but that symbol only registers
custom handlers while configureRootHandler injects the built-in root route and
it is then wrapped by the middleware chain. Reword the docs in api-server.md to
clearly distinguish the system endpoints (`/health`, `/ready`, `/metrics`) from
the root route, and mention configureRootHandler as the source of `/` instead of
WithHandler.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@docs/contributor/api-server.md`:
- Around line 73-75: The root-route description is attributing `/` to
WithHandler, but that symbol only registers custom handlers while
configureRootHandler injects the built-in root route and it is then wrapped by
the middleware chain. Reword the docs in api-server.md to clearly distinguish
the system endpoints (`/health`, `/ready`, `/metrics`) from the root route, and
mention configureRootHandler as the source of `/` instead of WithHandler.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 2fd1d69c-1bf3-4438-8030-10eb9558f97d

📥 Commits

Reviewing files that changed from the base of the PR and between 548cfe0 and 35818fd.

📒 Files selected for processing (19)
  • SECURITY.md
  • demos/bundle-attestation.md
  • demos/cuj2-demo.md
  • demos/end-to-end-cli.md
  • demos/provenance-demo-slides.html
  • demos/provenance-demo.sh
  • demos/provenance.md
  • docs/contributor/api-server.md
  • docs/contributor/maintaining.md
  • docs/contributor/tests.md
  • docs/design/007-recipe-evidence.md
  • docs/design/014-ocp-helm.md
  • docs/integrator/automation.md
  • docs/integrator/data-flow.md
  • docs/integrator/kubernetes-deployment.md
  • docs/integrator/supply-chain-verification.md
  • docs/user/api-reference.md
  • docs/user/artifact-verification.md
  • pkg/server/doc.go
💤 Files with no reviewable changes (1)
  • demos/cuj2-demo.md

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
docs/integrator/data-flow.md (1)

208-211: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Keep the matching criteria list aligned with the result diagram.

The new sentence again includes platform and node-count as matching dimensions, but the RecipeResult box below still lists only service, accelerator, intent, and os. As per coding guidelines, keep Markdown docs accurate and helpful.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/integrator/data-flow.md` around lines 208 - 211, The matching criteria
text is out of sync with the RecipeResult diagram and currently lists extra
dimensions not shown there. Update the markdown in the data-flow doc so the
criteria sentence and the RecipeResult box use the same matching fields by
keeping the list aligned with the diagram, and reference the RecipeResult
section plus the criteria-dimensions description to ensure both stay consistent.

Source: Coding guidelines

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/user/api-reference.md`:
- Around line 499-516: The `X-Bundle-Files` example in the API reference is
outdated and undercounts the revised bundle tree. Update the header/example in
the docs to reflect the current bundle layout shown in the `README`/bundle tree
description, including the correct total of 11 files and the root-level-only
checksums plus per-component `install.sh` placement, so the documented file list
matches the generated bundle structure.

---

Duplicate comments:
In `@docs/integrator/data-flow.md`:
- Around line 208-211: The matching criteria text is out of sync with the
RecipeResult diagram and currently lists extra dimensions not shown there.
Update the markdown in the data-flow doc so the criteria sentence and the
RecipeResult box use the same matching fields by keeping the list aligned with
the diagram, and reference the RecipeResult section plus the criteria-dimensions
description to ensure both stay consistent.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: ee8fba55-c938-40ea-8f92-d5e2bc293a69

📥 Commits

Reviewing files that changed from the base of the PR and between 35818fd and d522e3a.

📒 Files selected for processing (19)
  • SECURITY.md
  • demos/bundle-attestation.md
  • demos/cuj2-demo.md
  • demos/end-to-end-cli.md
  • demos/provenance-demo-slides.html
  • demos/provenance-demo.sh
  • demos/provenance.md
  • docs/contributor/api-server.md
  • docs/contributor/maintaining.md
  • docs/contributor/tests.md
  • docs/design/007-recipe-evidence.md
  • docs/design/014-ocp-helm.md
  • docs/integrator/automation.md
  • docs/integrator/data-flow.md
  • docs/integrator/kubernetes-deployment.md
  • docs/integrator/supply-chain-verification.md
  • docs/user/api-reference.md
  • docs/user/artifact-verification.md
  • pkg/server/doc.go
💤 Files with no reviewable changes (1)
  • demos/cuj2-demo.md

Comment thread docs/user/api-reference.md
@yuanchen8911 yuanchen8911 force-pushed the docs/post-1528-doc-correctness branch 2 times, most recently from 507203c to 29991f6 Compare June 29, 2026 22:44

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

♻️ Duplicate comments (1)
docs/integrator/data-flow.md (1)

202-213: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Keep the query field list consistent.

The new nodes projection still isn't reflected in the RecipeResult.criteria box below, so the section now describes two different field sets. Please update one side to match the other.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@docs/integrator/data-flow.md` around lines 202 - 213, The query field list is
inconsistent because the new nodes projection in the Fingerprint.ToCriteria
description is not reflected in the RecipeResult.criteria box. Update the recipe
criteria documentation so it matches the projected fields exactly, using the
existing Fingerprint.ToCriteria and RecipeResult.criteria sections as the source
of truth.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/integrator/data-flow.md`:
- Around line 450-468: The markdown section in the template usage docs needs a
blank line before the fenced gotemplate block to satisfy MD031. Update the prose
around the README example so the opening fence is separated by an empty line,
and keep the surrounding `readmeTemplateData` / `deployTemplateData` wording
intact.

In `@docs/integrator/kubernetes-deployment.md`:
- Around line 515-521: The metrics port-forward example can block forever if
kubectl port-forward never succeeds or /metrics is unreachable; update the
snippet to add a bounded timeout around the wait loop and ensure the background
port-forward process is cleaned up on failure. Keep the fix in the kubectl
port-forward/curl example by modifying the wait/kill flow so it exits cleanly
and references the pf_pid handling.

---

Duplicate comments:
In `@docs/integrator/data-flow.md`:
- Around line 202-213: The query field list is inconsistent because the new
nodes projection in the Fingerprint.ToCriteria description is not reflected in
the RecipeResult.criteria box. Update the recipe criteria documentation so it
matches the projected fields exactly, using the existing Fingerprint.ToCriteria
and RecipeResult.criteria sections as the source of truth.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 49dc5ffa-7468-4a38-a465-caa16873911b

📥 Commits

Reviewing files that changed from the base of the PR and between d522e3a and 507203c.

📒 Files selected for processing (19)
  • SECURITY.md
  • demos/bundle-attestation.md
  • demos/cuj2-demo.md
  • demos/end-to-end-cli.md
  • demos/provenance-demo-slides.html
  • demos/provenance-demo.sh
  • demos/provenance.md
  • docs/contributor/api-server.md
  • docs/contributor/maintaining.md
  • docs/contributor/tests.md
  • docs/design/007-recipe-evidence.md
  • docs/design/014-ocp-helm.md
  • docs/integrator/automation.md
  • docs/integrator/data-flow.md
  • docs/integrator/kubernetes-deployment.md
  • docs/integrator/supply-chain-verification.md
  • docs/user/api-reference.md
  • docs/user/artifact-verification.md
  • pkg/server/doc.go
💤 Files with no reviewable changes (1)
  • demos/cuj2-demo.md

Comment thread docs/integrator/data-flow.md
Comment thread docs/integrator/kubernetes-deployment.md Outdated
@yuanchen8911 yuanchen8911 force-pushed the docs/post-1528-doc-correctness branch 5 times, most recently from 0ef86cf to a92aaf2 Compare June 30, 2026 00:11
@yuanchen8911 yuanchen8911 force-pushed the docs/post-1528-doc-correctness branch 2 times, most recently from 2552642 to 05a9c98 Compare June 30, 2026 00:35
@yuanchen8911 yuanchen8911 changed the title docs: post-#1528 correctness + fold #1533 tail and #1537 examples docs: correct supply-chain, evidence & provenance documentation Jun 30, 2026
@yuanchen8911 yuanchen8911 force-pushed the docs/post-1528-doc-correctness branch from 05a9c98 to 1a5482d Compare June 30, 2026 00:39
@yuanchen8911 yuanchen8911 marked this pull request as ready for review June 30, 2026 01:04
@yuanchen8911 yuanchen8911 force-pushed the docs/post-1528-doc-correctness branch 3 times, most recently from 12ad086 to 77bc48c Compare June 30, 2026 01:32
…l and NVIDIA#1537 examples

Post-NVIDIA#1528 documentation-correctness sweep of AICR supply-chain, evidence,
provenance, and bundle docs (plus demos, scripts, slide decks), verified
against the implementation. Doc/comment-only; the one Go change is a comment.

Final review-round closure (round 12):
- Ingest verification qualified as implemented-but-currently-failing-closed
  pending NVIDIA#1505 (the GP2 loader cannot parse the canonical allowlist) — it had
  been documented as fully operational (artifact guide, evidence.md, ADR-007,
  maintaining.md).
- expected-signer regex example matches its own pointer (validate.yaml@refs/heads/main).
- Exit 1/2 documented as structured exit values (both map to OS exit 2; read
  the JSON .exit via --format json).
- community allowlist example includes the required issuer field.
- Split signing: only the unsigned subject/predicate + bundle digest are
  reproducible; signature/cert/identity/time differ per signing host.
- Rekor audit commands runnable (extract digest, strip the sha256: prefix);
  pointer enumeration excludes allowlist.yaml.
- Port-forward snippet tracks readiness and preserves the failure exit status.
- Checksum wording: inventories the deployment payload (recipe.yaml excluded,
  attestation files verified separately).
- SECURITY supported-version bumped to 0.16.x (v0.16.0 is GA).

Earlier rounds: pinned gh attestation verify to --repo/--signer-workflow/--source-ref;
anchored cosign identity regexes; qualified SLSA build-level (NVIDIA#1536); reframed
recipe evidence as a signer-bound record (NVIDIA#1535); propagated the NVIDIA#1549 checksums
scope and NVIDIA#1550 attested/exit semantics; rewrote the data-flow bundler/deployer
flow; validated the Policy Controller admission example on demo5 and demoted the
Kyverno example (NVIDIA#1537).

Signed-off-by: Yuan Chen <[email protected]>

Round 13 (propagation closure):
- artifact-verification heading no longer says "NVIDIA#1535 resolved" (ingest blocked by NVIDIA#1505).
- Split-signing reproducibility corrected in the CLI reference and ADR-007
  (only unsigned subject/predicate + OCI digest are stable; signature material varies).
- Rekor audit runbook made runnable: quoted POINTER, digest extracted from it,
  UUID captured from rekor-cli search and passed to rekor-cli get.
- Port-forward snippet captures the metrics body in the successful probe and
  exits nonzero when unreachable (no maskable second curl).
- Exit-1 Review Process documents the structured exit: 1 value (OS exit code 2).

Signed-off-by: Yuan Chen <[email protected]>

Round 14: rekor-cli search --format json returns {"UUIDs":[...]}, so use
jq -er .UUIDs[0] (not .[0]) when capturing the entry UUID.

Signed-off-by: Yuan Chen <[email protected]>
@yuanchen8911 yuanchen8911 force-pushed the docs/post-1528-doc-correctness branch from 77bc48c to cc2b24c Compare June 30, 2026 01:36
@yuanchen8911 yuanchen8911 requested a review from mchmarny June 30, 2026 01:37
@mchmarny mchmarny merged commit 0479638 into NVIDIA:main Jun 30, 2026
32 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/api area/docs size/XL theme/community Contributor onboarding, docs, and external engagement

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants