-
-
Notifications
You must be signed in to change notification settings - Fork 146
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Promote cosign to public API (and support bzlmod) #235
Comments
Yup, cosign is a "private API" in 1.0. Only the distroless team is using it. Adding bzlmod support is just one of the tasks for considering it "ready" to commit to support in the public API surface. |
We want to use |
Coming back to this desire, has there been any movement on exposing cosign that isn't mentioned here? |
Not really, i am not sure if cosign belongs here anymore. Only reason for keeping it is distroless, i thought about moving it to rules_distroless. |
We would really like to use this +UPD. We dont use rules_distroless, we use rules_apko instead, so it’s logical to do it here |
You're far more familiar with the domain than I am, but this surprised me, as it's not clear to me what cosign has to do with distroless. I'm looking to sign my container images, whether or not the images are based on distroless. If not here, then a dedicated rules_cosign ruleset would make sense, though I expect that it would rather small, paying the outsized tax of needing its own CI workflow, BCR integration, and releases. |
Need this as well Does it have to be a separate rule ?
|
If anyone has time to contribute this or can track down some OSS funding from their organization, that would be great. Primary maintainers here currently don't have volunteer time for it. |
In #36 we introduced support for using the cosign tool with the
cosign_attest
andcosign_sign
rules. Both of those require a registered toolchain for cosign. The cosign/repositories.bzl file defines thecosign_register_toolchains
macro, but it remains difficult to use in a WORKSPACE.bzlmod file. Ideally we would register a toolchain for cosign in the MODULE.bazel file like we do for crane.In short, it would be good to be able to use cosign as easily as we can the other tools integrated by this module.
The text was updated successfully, but these errors were encountered: