Skip to content

Update ci-systemd-release.yml for provenance generation#2664

Merged
Aryan-sharma11 merged 5 commits into
kubearmor:mainfrom
asmit27rai:slsa-signed-releases
Jul 1, 2026
Merged

Update ci-systemd-release.yml for provenance generation#2664
Aryan-sharma11 merged 5 commits into
kubearmor:mainfrom
asmit27rai:slsa-signed-releases

Conversation

@asmit27rai

Copy link
Copy Markdown
Contributor

Summary

Adds SLSA Level 3 provenance generation to the release pipeline.

Problem

OpenSSF Scorecard Signed-Releases check scores 0/10 despite all release

artifacts having .sigstore.json bundles. Root cause: scorecard v4.13.1

does not recognize .sigstore.json format — support was added in v5.0.0.

Adding .intoto.jsonl provenance fixes this for all scorecard versions

and is also a requirement for SLSA L3 compliance.

Testing

Verified on fork asmit27rai/KubeArmor with tag v99.0.0-test:

@asmit27rai

Copy link
Copy Markdown
Contributor Author

@Aryan-sharma11
I got 10/10 score for signed release.
image

Here is the action : https://github.com/asmit27rai/KubeArmor/actions/runs/27613664291

Please have a look.

Comment thread .github/workflows/ci-systemd-release.yml Outdated
Comment thread .github/workflows/ci-systemd-release.yml Outdated
Comment thread .github/workflows/ci-systemd-release.yml Outdated
Comment thread .github/workflows/ci-systemd-release.yml Outdated
@asmit27rai asmit27rai force-pushed the slsa-signed-releases branch from 6ddccc2 to 65b7d19 Compare June 22, 2026 11:11
@asmit27rai asmit27rai force-pushed the slsa-signed-releases branch 2 times, most recently from 06ca81c to dab5fa9 Compare June 25, 2026 11:15
@Aryan-sharma11 Aryan-sharma11 merged commit d135996 into kubearmor:main Jul 1, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants