Skip to content

Add VEX attestation#2546

Merged
universal-itengineer merged 10 commits into
mainfrom
vex-attestations
Jul 2, 2026
Merged

Add VEX attestation#2546
universal-itengineer merged 10 commits into
mainfrom
vex-attestations

Conversation

@himax1991

Copy link
Copy Markdown
Contributor

Summary

  • Add .werf/defines/vex.tmpl for cosign OpenVEX attestations
  • Add base/vex image for VEX signing infrastructure
  • Extend werf-giterminism.yaml with signing mode env vars and registry/Vault secrets for CSE compatibility
  • Update CI build workflows for VEX registry credentials (modules-actions v15 / modules-gitlab-ci v13.0)

Enable cosign OpenVEX signing via base/vex image, giterminism secrets for registry and Vault, and CI build credentials.

Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
himax1991 and others added 6 commits June 26, 2026 15:40
Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
Signed-off-by: Maksim Khimchenko <39365040+himax1991@users.noreply.github.com>
Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
@universal-itengineer universal-itengineer added this to the v1.10.0 milestone Jul 1, 2026
universal-itengineer and others added 3 commits July 1, 2026 16:32
Define the base/vex image consumed by the "vex mitigation" template
(.werf/defines/vex.tmpl). Placed in werf.yaml rather than a separate
.werf/*.yaml file so its tools/* imports (cosign, jq, curl, bash) are
discovered by parse_base_images_map, which scans only werf.yaml and
images/*/werf.inc.yaml. Validated with 'werf config render --dev'.

Signed-off-by: Nikita Korolev <nikita.korolev@flant.com>
Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
@universal-itengineer universal-itengineer modified the milestones: v1.10.0, v1.9.3 Jul 2, 2026
@universal-itengineer universal-itengineer merged commit 5230cbb into main Jul 2, 2026
53 of 59 checks passed
@universal-itengineer universal-itengineer deleted the vex-attestations branch July 2, 2026 09:28
@deckhouse-BOaTswain

Copy link
Copy Markdown
Contributor

Backport failed. See Job for details.

universal-itengineer added a commit that referenced this pull request Jul 2, 2026
Summary
Add .werf/defines/vex.tmpl for cosign OpenVEX attestations
Add base/vex image for VEX signing infrastructure
Extend werf-giterminism.yaml with signing mode env vars and registry/Vault secrets for CSE compatibility
Update CI build workflows for VEX registry credentials (modules-actions v15 / modules-gitlab-ci v13.0)

---------

Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
Co-authored-by: Nikita Korolev <nikita.korolev@flant.com>
universal-itengineer added a commit that referenced this pull request Jul 2, 2026
Summary
Add .werf/defines/vex.tmpl for cosign OpenVEX attestations
Add base/vex image for VEX signing infrastructure
Extend werf-giterminism.yaml with signing mode env vars and registry/Vault secrets for CSE compatibility
Update CI build workflows for VEX registry credentials (modules-actions v15 / modules-gitlab-ci v13.0)

---------

Signed-off-by: Maksim Khimchenko <maksim.khimchenko@flant.com>
Co-authored-by: Nikita Korolev <nikita.korolev@flant.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants