sec(release): release sboms and signatures in same repository as artefact (#1346)

* chore(repo): add pre-commit

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* feat(helm): add schema

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

* sec(release): release sboms and signatures in same repository as artefact

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

---------

Signed-off-by: Oliver Bähler <oliverbaehler@hotmail.com>

.github/workflows/docker-publish.yml

@@ -49,8 +49,8 @@ jobs:
           version: ${{ github.ref_name }}
           sign-image: true
           sbom-name: capsule
-          sbom-repository: ghcr.io/${{ github.repository_owner }}/sbom
-          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          sbom-repository: ghcr.io/${{ github.repository_owner }}/capsule
+          signature-repository: ghcr.io/${{ github.repository_owner }}/capsule
           main-path: ./
         env:
           REPOSITORY: ${{ github.repository }}

.github/workflows/helm-publish.yml

@@ -65,7 +65,7 @@ jobs:
           registry-password: ${{ secrets.GITHUB_TOKEN }}
           update-dependencies: 'true' # Defaults to false
           sign-image: 'true'
-          signature-repository: ghcr.io/${{ github.repository_owner }}/signatures
+          signature-repository: ghcr.io/${{ github.repository_owner }}/charts/capsule
   helm-provenance:
     needs: publish-helm-oci
     permissions:

SECURITY.md

@@ -54,19 +54,23 @@ Response times could be affected by weekends, holidays, breaks or time zone diff
 
 ## Verifing
 
-To verify artifacts you need to have [cosign installed](https://github.com/sigstore/cosign#installation). This guide assumes you are using v2.x of cosign. All of the signatures are created using [keyless signing](https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect). We have a seperate repository for all the signatures for all the artifacts released under the projectcapsule - `ghcr.io/projectcapsule/signatures`. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
+To verify artifacts you need to have [cosign installed](https://github.com/sigstore/cosign#installation). This guide assumes you are using v2.x of cosign. All of the signatures are created using [keyless signing](https://docs.sigstore.dev/verifying/verify/#keyless-verification-using-openid-connect). You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
 
-    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures
+    # Docker Image
+    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/capsule
+
+    # Helm Chart
+    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule
 
 To verify the signature of the docker image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/capsule):
 
-    COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures cosign verify ghcr.io/projectcapsule/capsule:<release_tag> \
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule cosign verify ghcr.io/projectcapsule/capsule:<release_tag> \
       --certificate-identity-regexp="https://github.com/projectcapsule/capsule/.github/workflows/docker-publish.yml@refs/tags/*" \
       --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
 
 To verify the signature of the helm image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/charts%2Fcapsule):
 
-    COSIGN_REPOSITORY=ghcr.io/projectcapsule/signatures cosign verify ghcr.io/projectcapsule/charts/capsule:<release_tag> \
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule cosign verify ghcr.io/projectcapsule/charts/capsule:<release_tag> \
       --certificate-identity-regexp="https://github.com/projectcapsule/capsule/.github/workflows/helm-publish.yml@refs/tags/*" \
       --certificate-oidc-issuer="https://token.actions.githubusercontent.com" | jq
 
@@ -95,19 +99,23 @@ cosign verify-attestation --type slsaprovenance \
 
 ## Software Bill of Materials (SBOM)
 
-An SBOM (Software Bill of Materials) in CycloneDX JSON format is published for each Kyverno release, including pre-releases. Like signatures, SBOMs are stored in a separate repository at `ghcr.io/projectcapsule/sbom`. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
+An SBOM (Software Bill of Materials) in CycloneDX JSON format is published for each release, including pre-releases. You can set the environment variable `COSIGN_REPOSITORY` to point to this repository. For example:
+
+    # Docker Image
+    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/capsule
+
+    # Helm Chart
+    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule
 
-    export COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom
 
 To inspect the SBOM of the docker image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/capsule):
 
 
-    COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom cosign download sbom ghcr.io/projectcapsule/capsule:<release_tag>
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/capsule cosign download sbom ghcr.io/projectcapsule/capsule:<release_tag>
 
 To inspect the SBOM of the helm image, run the following command. Replace `<release_tag>` with an [available release tag](https://github.com/projectcapsule/capsule/pkgs/container/charts%2Fcapsule):
 
-    COSIGN_REPOSITORY=ghcr.io/projectcapsule/sbom cosign download sbom ghcr.io/projectcapsule/charts/capsule:<release_tag>
-
+    COSIGN_REPOSITORY=ghcr.io/projectcapsule/charts/capsule cosign download sbom ghcr.io/projectcapsule/charts/capsule:<release_tag>
 
 # Credits