Cosign VAT Attestation
Background
Now that the pipeline is making use of Cosign, we should begin adding attestations. We should start with adding the VAT response as an attestation.
Acceptance Criteria
-
Discuss with VAT what predicate name we should use -
Add method to perform cosign atteste.g.cosign attest --replace --predicate vat.json --type https://vat.dso.mil/something registry1.dso.mil/something:1.2.3 -
Call new method in upload to harbor job
Definition of Done
-
Code has been tested in staging environment -
Validate attestation in staging registry
Edited by David Freeman