Suboptimal supply chain security for the project

Question

Suboptimal supply chain security for the project

R3DRUN3 opened this issue a year ago · 0 comments

Checklist

I've searched for similar issues and couldn't find anything matching

Problem Description

At its current state, the project exhibits suboptimal supply chain management in the CI pipeline.
The generated OCI images for nostr-wallet-connect are neither signed nor attested.

Solution Description

The proposed solution suggests minimal adherence to industry best practices, by signing and attesting the images (cosign) using their SBOM as a predicate.

Benefits

Main benefits are:

Certify both image and SBOM provenance.
Have the SBOM available in the same registry as the image, enabling effortless downloading for all users.
Implementing specific admission policies with tools such as Kyverno and Sigstore Policy Controller.

Additional Information

For an implementation reference on GitHub Actions, please refer to this.