-
Notifications
You must be signed in to change notification settings - Fork 1
/
values.yaml
35 lines (35 loc) · 2.3 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
# A default policy can be created by setting policy.enabled to true.
policy:
# To verify an attestation, we must validate the identity of the workflow that signed it, which is stored in the attestation's certificate's subject alternative name.
# To validate the signer workflow's identity, you can set the subjectRegExp value, or set the organization and the repository values below.
#
# policy.organization is used to validate the signer workflow's identity. An attestation is valid if it was generated inside a repository owned by this organization.
# Required if policy.enabled is true and policy.subjectRegExp has not been set.
organization:
# policy.repository is used to validate the signer workflow's identity. An attestation is valid if it was generated inside this specific repository.
# Must be used in combination with the policy.organization value.
repository: '.*'
# policy.subjectRegExp is a regex used to validate the signer workflow's identity. Use this if your attestations are generated with a reusable workflow.
# Required if policy.enabled is true and policy.organization has not been set.
subjectRegExp:
# policy.predicateType defines the type of predicate that the default policy expects
predicateType: https://slsa.dev/provenance/v1
# images is a list of image glob patterns that the policy applies to
images:
- "**"
# exemptImages is a list of image glob patterns that will be allowed to run without verification
exemptImages: []
# policy.enabled enables the default policy
enabled: false
# policy.trust identifies which signing authorities should be trusted as part of the policy
trust:
# trust the GitHub signing authority
github: true
# githubTrustDomain is determined by where your GitHub enterprise account is hosted.
# If your enterprise is on GitHub.com, leave this field blank.
# If your enterprise is on GHE.com, then githubTrustDomain must be set to the output of the following command:
# $ gh api meta --jq .domains.artifact_attestations.trust_domain
# For more information, see: https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations/enforcing-artifact-attestations-with-a-kubernetes-admission-controller
githubTrustDomain: ''
# trust the Sigstore public-good signing authority
sigstorePublic: true