Status: filed upstream 2026-04-27 Taipei
Filed at kptdev/kpt#4504 (enhancement + area/fn-catalog labels).
Title: Krm-functions-catalog: add cosign keyless signing + SBOM + SLSA provenance to release pipeline.
Tone discipline applied (per project's pitch-facts + Japanese-style PR reply guidelines):
- No self-credentialing (no "Nephio TSC member" / "maintainer of ntn-operators" /
@CODEOWNERS namedrops)
- No inaccurate precedent citations (cert-manager actually uses key-based cosign, not keyless; Kyverno is verify-images consumer, not self-signer — both removed from earlier drafts)
- 0 em-dashes
- 0 H4 sub-sections (continuous prose, single evidence bullet list)
- Acknowledges EPIC #4259 (kptdev → ex-GoogleContainerTools transfer) as the upstream's active focus and explicitly defers urgency
- Closes with "Thanks for keeping the project running through the transfer."
Original context (v0.4.0 release era)
PR #117 review (round 3, 2026-04-26) verified that kptdev/krm-functions-catalog images currently have:
- ❌ No cosign signatures (OCI Referrers API → HTTP 405; legacy
.sig tag → HTTP 404)
- ❌ No SLSA provenance attestations
- ❌ No SBOM
- ❌ RELEASING.md does not mention sigstore / cosign / SLSA / signing
- ❌
after-tag-with-version.yaml only does Log in to GHCR + make func-push — no signing step
Verified end-to-end: our digest pin (PR #117 → v0.4.0 final via PR #122) is the strongest supply-chain defense currently available given upstream's signing posture. Filing this upstream issue now closes the residual gap (digest pin protects against tag re-pointing; upstream signing protects against repo compromise).
Routing pivot
Original plan was to file at kptdev/krm-functions-catalog/issues/new — that page returns 404 because catalog has Issues + Discussions both disabled (has_issues: false and has_discussions: false). Catalog README.md explicitly redirects: "Please Open Issues for this repo at kptdev/kpt." Verified routing alive: 15 prior catalog-related issues filed at kptdev/kpt, including by CODEOWNERS efiacor and liamfallon themselves.
Why it matters for the project
Next checkpoint
Wait for maintainer response (7–21 day horizon). If positive signal → draft PR to kptdev/krm-functions-catalog adding cosign + slsa-github-generator steps to after-tag-with-version.yaml. If silence beyond ~21 days, follow up via Kubernetes Slack #kpt.
Origin
PR #117 review (round 3, 2026-04-26 / refined 2026-04-27 hostile review v4 + Japanese-style tone pass).
Status: filed upstream 2026-04-27 Taipei
Filed at kptdev/kpt#4504 (
enhancement+area/fn-cataloglabels).Title:
Krm-functions-catalog: add cosign keyless signing + SBOM + SLSA provenance to release pipeline.Tone discipline applied (per project's pitch-facts + Japanese-style PR reply guidelines):
@CODEOWNERSnamedrops)Original context (v0.4.0 release era)
PR #117 review (round 3, 2026-04-26) verified that
kptdev/krm-functions-catalogimages currently have:.sigtag → HTTP 404)after-tag-with-version.yamlonly doesLog in to GHCR+make func-push— no signing stepVerified end-to-end: our digest pin (PR #117 → v0.4.0 final via PR #122) is the strongest supply-chain defense currently available given upstream's signing posture. Filing this upstream issue now closes the residual gap (digest pin protects against tag re-pointing; upstream signing protects against repo compromise).
Routing pivot
Original plan was to file at
kptdev/krm-functions-catalog/issues/new— that page returns 404 because catalog has Issues + Discussions both disabled (has_issues: falseandhas_discussions: false). CatalogREADME.mdexplicitly redirects: "Please Open Issues for this repo at kptdev/kpt." Verified routing alive: 15 prior catalog-related issues filed atkptdev/kpt, including by CODEOWNERS efiacor and liamfallon themselves.Why it matters for the project
Next checkpoint
Wait for maintainer response (7–21 day horizon). If positive signal → draft PR to
kptdev/krm-functions-catalogadding cosign + slsa-github-generator steps toafter-tag-with-version.yaml. If silence beyond ~21 days, follow up via Kubernetes Slack#kpt.Origin
PR #117 review (round 3, 2026-04-26 / refined 2026-04-27 hostile review v4 + Japanese-style tone pass).