Support SLSA level 3

Author: ThomasVitale

.github/ISSUE_TEMPLATE/bug-report.md

@@ -0,0 +1,28 @@
+---
+name: Bug report
+about: Tell us about a problem you are experiencing
+title: ''
+labels: bug
+assignees: ''
+
+---
+
+**What steps did you take:**
+[A clear and concise description steps that can be used to reproduce the problem.]
+
+**What happened:**
+[A small description of the issue]
+
+**What did you expect:**
+[A description of what was expected]
+
+**Anything else you would like to add:**
+[Additional information that will assist in solving the issue.]
+
+**Additional context:**
+Add any other context about the problem here.
+
+**Environment:**
+
+- Kubernetes version (execute `kubectl version`): 
+- kapp-controller version (execute `kubectl get deployment -n kapp-controller kapp-controller -o yaml` and the annotation is `kbld.k14s.io/images`): 

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,17 @@
+---
+name: Feature request
+about: Suggest an idea for this project
+title: ''
+labels: enhancement
+assignees: ''
+
+---
+
+**Describe the problem/challenge you have:**
+[A description of the current challenge that you are experiencing.]
+
+**Describe the solution you'd like:**
+[A clear and concise description of what you want to happen. If applicable a visual representation of the UX.]
+
+**Anything else you would like to add:**
+[Additional information that will assist in solving the issue.]

.github/ISSUE_TEMPLATE/feature-request.md

@@ -6,7 +6,7 @@ env:
   COSIGN_EXPERIMENTAL: 1
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
-  VERSION: 0.5.1
+  VERSION: 0.6.0
 
 jobs:
   build:
@@ -16,7 +16,8 @@ jobs:
       contents: write
       packages: write
     outputs:
-      image-release: ${{ steps.image-info.outputs.release }}
+      image-name: ${{ steps.image-info.outputs.image_name }}
+      image-digest: ${{ steps.image-info.outputs.image_digest }}
     steps:
       - name: Checkout source code
         uses: actions/checkout@v3.1.0
@@ -56,7 +57,9 @@ jobs:
           package_file=repo/package-repository.yml
           image_release=$(yq '.spec.fetch.imgpkgBundle.image' ${package_file})
           echo "IMAGE_RELEASE=${image_release}" >> $GITHUB_ENV
-          echo "release=${image_release}" >> $GITHUB_OUTPUT
+
+          echo "image_name=$(echo ${image_release} | cut -d'@' -f1)" >> $GITHUB_OUTPUT
+          echo "image_digest=$(echo ${image_release} | cut -d'@' -f2)" >> $GITHUB_OUTPUT
       
       - name: Add additional tags to OCI image
         run: |
@@ -81,7 +84,8 @@ jobs:
       packages: write
       id-token: write
     env:
-      IMAGE_RELEASE: ${{ needs.build.outputs.image-release }}
+      IMAGE_NAME: ${{ needs.build.outputs.image-name }}
+      IMAGE_DIGEST: ${{ needs.build.outputs.image-digest }}
     steps:
       - name: Install Cosign
         uses: sigstore/cosign-installer@v2.8.1
@@ -95,49 +99,63 @@ jobs:
 
       - name: Sign image
         run: |
-          cosign sign "${IMAGE_RELEASE}"
+          cosign sign "${IMAGE_NAME}@${IMAGE_DIGEST}"
   
   provenance:
-    name: Provenance
-    runs-on: ubuntu-22.04
     needs: [build,sign]
     permissions:
-      packages: write
+      actions: read
       id-token: write
-    env:
-      IMAGE_RELEASE: ${{ needs.build.outputs.image-release }}
-      PROVENANCE_FILE: provenance.att
-    steps:
-      - name: Install Cosign
-        uses: sigstore/cosign-installer@v2.8.1
+      packages: write
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.4.0
+    with:
+      image: ${{ needs.build.outputs.image-name }}
+      digest: ${{ needs.build.outputs.image-digest }}
+      registry-username: ${{ inputs.registry-username }}
+    secrets:
+      registry-password: ${{ secrets.GITHUB_TOKEN }}
+  
+  # provenance:
+  #   name: Provenance
+  #   runs-on: ubuntu-22.04
+  #   needs: [build,sign]
+  #   permissions:
+  #     packages: write
+  #     id-token: write
+  #   env:
+  #     IMAGE_RELEASE: ${{ needs.build.outputs.image-release }}
+  #     PROVENANCE_FILE: provenance.att
+  #   steps:
+  #     - name: Install Cosign
+  #       uses: sigstore/cosign-installer@v2.8.1
 
-      - name: Log into container registry
-        uses: redhat-actions/podman-login@v1.4
-        with:
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-          registry: ${{ env.REGISTRY }}
+  #     - name: Log into container registry
+  #       uses: redhat-actions/podman-login@v1.4
+  #       with:
+  #         username: ${{ github.actor }}
+  #         password: ${{ secrets.GITHUB_TOKEN }}
+  #         registry: ${{ env.REGISTRY }}
 
-      - name: Extract digest
-        run: |
-          digest=$(echo ${IMAGE_RELEASE} | cut -d "@" -f2)
-          echo "IMAGE_DIGEST=${digest}" >> $GITHUB_ENV
+  #     - name: Extract digest
+  #       run: |
+  #         digest=$(echo ${IMAGE_RELEASE} | cut -d "@" -f2)
+  #         echo "IMAGE_DIGEST=${digest}" >> $GITHUB_ENV
 
-      - name: Generate provenance
-        uses: philips-labs/slsa-provenance-action@v0.7.2
-        with:
-          command: generate
-          subcommand: container
-          arguments: --repository ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} --tags ${{ env.VERSION }} --digest ${{ env.IMAGE_DIGEST }} --output-path ${{ env.PROVENANCE_FILE }}
-        env:
-          COSIGN_EXPERIMENTAL: 0
+  #     - name: Generate provenance
+  #       uses: philips-labs/slsa-provenance-action@v0.7.2
+  #       with:
+  #         command: generate
+  #         subcommand: container
+  #         arguments: --repository ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} --tags ${{ env.VERSION }} --digest ${{ env.IMAGE_DIGEST }} --output-path ${{ env.PROVENANCE_FILE }}
+  #       env:
+  #         COSIGN_EXPERIMENTAL: 0
 
-      - name: Attach provenance
-        run: |
-          jq '.predicate' "${PROVENANCE_FILE}" > provenance-predicate.att
-          cosign attest --predicate provenance-predicate.att --type slsaprovenance "${IMAGE_RELEASE}"
+  #     - name: Attach provenance
+  #       run: |
+  #         jq '.predicate' "${PROVENANCE_FILE}" > provenance-predicate.att
+  #         cosign attest --predicate provenance-predicate.att --type slsaprovenance "${IMAGE_RELEASE}"
 
-      - uses: actions/upload-artifact@v3.1.1
-        with:
-          name: provenance.att
-          path: ${{ env.PROVENANCE_FILE }}
+  #     - uses: actions/upload-artifact@v3.1.1
+  #       with:
+  #         name: provenance.att
+  #         path: ${{ env.PROVENANCE_FILE }}

.github/ISSUE_TEMPLATE/feature_request.md

@@ -1,5 +1,7 @@
 # Kadras Packages
 
+<a href="https://slsa.dev/spec/v0.1/levels"><img src="https://slsa.dev/images/gh-badge-level3.svg" alt="The SLSA Level 3 badge"></a>
+
 A collection of Kubernetes-native packages built with [Carvel](https://carvel.dev) and part of the Kadras project.
 
 ## Package Repository
@@ -95,6 +97,6 @@ This package repository is inspired by the work done by the Carvel team and the
 
 ## Supply Chain Security
 
-This project is compliant with level 2 of the [SLSA Framework](https://slsa.dev).
+This project is compliant with level 3 of the [SLSA Framework](https://slsa.dev).
 
-<img src="https://slsa.dev/images/SLSA-Badge-full-level2.svg" alt="The SLSA Level 2 badge" width=200>
+<img src="https://slsa.dev/images/SLSA-Badge-full-level3.svg" alt="The SLSA Level 3 badge" width=200>