Spike: Research architecture blueprint and create plan for build artifacts
Proposal
- Research and create an iteration plan to eventually allow GitLab to automatically and by default sign container images, packages, and build artifacts.
- Contribute to the GitLab and Cosign Architectural Blueprint.
Prior discussion can be found in the comments of Sign build artifacts in Runner with Cosign (gitlab-runner#29063)
🤖
Auto-Summary Discoto Usage
Points
Discussion points are declared by headings, list items, and single lines that start with the text (case-insensitive)
point:
. For example, the following are all valid points:
#### POINT: This is a point
* point: This is a point
+ Point: This is a point
- pOINT: This is a point
point: This is a **point**
Note that any markdown used in the point text will also be propagated into the topic summaries.
Topics
Topics can be stand-alone and contained within an issuable (epic, issue, MR), or can be inline.
Inline topics are defined by creating a new thread (discussion) where the first line of the first comment is a heading that starts with (case-insensitive)
topic:
. For example, the following are all valid topics:
# Topic: Inline discussion topic 1
## TOPIC: **{+A Green, bolded topic+}**
### tOpIc: Another topic
Quick Actions
Action Description /discuss sub-topic TITLE
Create an issue for a sub-topic. Does not work in epics /discuss link ISSUABLE-LINK
Link an issuable as a child of this discussion
Last updated by this job
-
TOPIC Trust model and verification #396632 (comment 1315935603)
- Raw signatures means building a new trust system from square one. We should rely on an existing system. #396632 (comment 1317120722)
- If we need to prioritize between the two, I believe it would be fine to start with just signing the attestation first. We could explore whether or not there is value in also signing the build artifact (or container image or package) later on and address that as a follow-up if needed. #396632 (comment 1319131255)
Discoto Settings
---
summary:
max_items: -1
sort_by: created
sort_direction: ascending
See the settings schema for details.
🤖
Auto-Summary Discoto Usage
Points
Discussion points are declared by headings, list items, and single lines that start with the text (case-insensitive)
point:
. For example, the following are all valid points:
#### POINT: This is a point
* point: This is a point
+ Point: This is a point
- pOINT: This is a point
point: This is a **point**
Note that any markdown used in the point text will also be propagated into the topic summaries.
Topics
Topics can be stand-alone and contained within an issuable (epic, issue, MR), or can be inline.
Inline topics are defined by creating a new thread (discussion) where the first line of the first comment is a heading that starts with (case-insensitive)
topic:
. For example, the following are all valid topics:
# Topic: Inline discussion topic 1
## TOPIC: **{+A Green, bolded topic+}**
### tOpIc: Another topic
Quick Actions
Action Description /discuss sub-topic TITLE
Create an issue for a sub-topic. Does not work in epics /discuss link ISSUABLE-LINK
Link an issuable as a child of this discussion
Last updated by this job
-
TOPIC Trust model and verification #396632 (comment 1315935603)
- Raw signatures means building a new trust system from square one. We should rely on an existing system. #396632 (comment 1317120722)
- If we need to prioritize between the two, I believe it would be fine to start with just signing the attestation first. We could explore whether or not there is value in also signing the build artifact (or container image or package) later on and address that as a follow-up if needed. #396632 (comment 1319131255)
Discoto Settings
---
summary:
max_items: -1
sort_by: created
sort_direction: ascending
See the settings schema for details.