You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I've searched for similar issues and couldn't find anything matching
Problem Description
At its current state, the project exhibits suboptimal supply chain management in the CI pipeline.
The generated OCI images for nostr-wallet-connect are neither signed nor attested.
Solution Description
The proposed solution suggests minimal adherence to industry best practices, by signing and attesting the images (cosign) using their SBOM as a predicate.
Benefits
Main benefits are:
Certify both image and SBOM provenance.
Have the SBOM available in the same registry as the image, enabling effortless downloading for all users.
Checklist
Problem Description
At its current state, the project exhibits suboptimal supply chain management in the CI pipeline.
The generated OCI images for nostr-wallet-connect are neither signed nor attested.
Solution Description
The proposed solution suggests minimal adherence to industry best practices, by signing and attesting the images (cosign) using their SBOM as a predicate.
Benefits
Main benefits are:
Additional Information
For an implementation reference on GitHub Actions, please refer to this.
The text was updated successfully, but these errors were encountered: