You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
|**Commit**| Engineer merges a Conventional Commit to `main` or rather creates a Pull Request to accomplish it. The release bot signs commits automatically | GitHub App + GPG | Verified ✅ signed commit with authorship traceability |
403
-
|**Version**| Semantic version is calculated automatically based on commit messages |`semantic-release`| Predictable versioning (`v1.2.3`), changelog, and tag created |
404
-
|**Build**| Application is packaged into a container image | OCI container (aka Docker) | Deterministic image tagged `app-<version>` and `app-latest`|
405
-
|**Scan**| Generate SBOM and CVE scan before release | Syft + Grype | CycloneDX SBOM + CVE visibility for compliance and early risk detection |
406
-
|**Attest**| Generate build provenance attestation linking code, build, and artefact digest |`actions/attest-build-provenance`| Cryptographically signed 🔏 provenance record stored in GitHub Attestations |
407
-
|**Sign**| Sign container image and record signature in the transparency log | Sigstore Cosign + Rekor | Tamper-evident signature proving authenticity and integrity |
408
-
|**Publish**| Push signed, attested image to registry and update release notes | GitHub Releases + GHCR | Trusted artefact available for downstream consumption |
409
-
|**Deploy**| Change integrated with downstream environments up to production | GitHub Action (continuous deployment) | TBC |
410
-
|**Release**| Feature enabled to the end user | OpenFeature (feature toggling) | TBC |
|**Commit**| Engineer merges a Conventional Commit to `main` or rather creates a Pull Request to accomplish it. The release bot signs commits automatically | GitHub App + GPG | Verified ✅ signed commit with authorship traceability |
426
+
|**Version**| Semantic version is calculated automatically based on commit messages |`semantic-release`| Predictable versioning (`v1.2.3`), changelog, and tag created |
427
+
|**Build**| Application is packaged into a container image | OCI container (aka Docker) | Deterministic image tagged `app-<version>` and `app-latest`|
428
+
|**Scan**| Generate SBOM and CVE scan before release | Syft + Grype | CycloneDX SBOM + CVE visibility for compliance and early risk detection |
429
+
|**Attest**| Generate build provenance attestation linking code, build, and artefact digest |`actions/attest-build-provenance`| Cryptographically signed 🔏 provenance record stored in GitHub Attestations |
430
+
|**Sign**| Sign container image and record signature in the transparency log | Sigstore Cosign + Rekor | Tamper-evident signature proving authenticity and integrity |
431
+
|**Publish**| Push signed, attested image to registry and update release notes | GitHub Releases + GHCR | Trusted artefact available for downstream consumption |
432
+
|**Deploy**| Change integrated with downstream environments up to production | GitHub Action (continuous deployment) | TBC |
433
+
|**Release**| Feature enabled to the end user | OpenFeature (feature toggling) | TBC |
0 commit comments