Skip to content

[rc1-prep] Hardcode KO_DOCKER_REPO step-level for parameterless build #316

Description

@trilamsr

Per docs/v1-rc1-operational-gaps.md §1 SLSA L3, remediation step 3.

Work: in .github/workflows/release.yml:423, the ko-publish job sets KO_DOCKER_REPO: ghcr.io/tracecoreai/tracecore at the env-line level. SLSA L3 requires parameterless builds: hardcode the value at the step level rather than the job env to satisfy "no operator-supplied build parameters that change the produced artifact".

Acceptance: grep KO_DOCKER_REPO .github/workflows/release.yml returns only step-scoped occurrences; provenance predicate buildDefinition.resolvedDependencies is unchanged.

Effort: S (1-line move).

Metadata

Metadata

Assignees

No one assigned

    Labels

    rc1-prepv1.0-rc1 preparation tasks per docs/v1-rc1-operational-gaps.md

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions