Small doc changes #55
Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: vdemeester The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
- Add a little bit more to the README - Update `.catalog.yaml` to `catalog.yaml` as dot-files can't be attached to releases. Signed-off-by: Vincent Demeester <[email protected]>
vdemeester
force-pushed
the
small-docs-changes
branch
from
64681e8 to
f5f5cca
Compare
| - it mutates the resources to add the version annotation | ||
| - it generates the final `catalog.yaml` with hash, digest, signature, … | ||
| - it packages the tasks and pipelines in a `tekton-resources.tar.gz` tarball (with READMEs for documentation) | ||
| - it (optionally) create, push the tag, create a GitHub release and attach content to it |
There was a problem hiding this comment.
Here I expect users to rely on gh directly, so catalog-cd release will do all the heavy lifting for the user be able to only upload the release.
There was a problem hiding this comment.
In my head, it was more, something similar to goreleaser. Quite some project using goreleaser do not create any GitHub release using the UI or gh, just rely on the gorelease tool. The idea was kind-of the same 🙃
| - Extract the tarball content and merge it with the current catalog available in the `p` branch | ||
| - Creates a pull-request to update it | ||
| - The pull request checks includes | ||
| - Lint the resources |
There was a problem hiding this comment.
And for the future, we should require a proof that catalog-cd probe has run successfully 💡
There was a problem hiding this comment.
Maybe part of the SBOM payload.
| What is describe above is *required* for the internal launch. | ||
|
|
||
| What is missing from here: | ||
| - Attestation, SBOM, signature, … |
There was a problem hiding this comment.
Which should go into .catalog.attestation attributes, I think the basic requirements are: https://docs.sigstore.dev/signing/quickstart/#verifying-a-signed-blob
So, we still need to describe:
- Certificate
- Signature
- Identity
|
|
||
| What is missing from here: | ||
| - Attestation, SBOM, signature, … | ||
| - How to validate the task is well tested (so that Red Hat can support it) |
There was a problem hiding this comment.
Then this, plus making sure the image is part of the Red Hat catalog, also, the image itself needs to provide a valid provenance attestation.
|
@otaviof: GitHub didn't allow me to request PR reviews from the following users: savitaashture. Note that only openshift-pipelines members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/lgtm Let's keep the comments for later conversations, please. |
.catalog.yamltocatalog.yamlas dot-files can't be attached to releases.design.md