Securing upstream releases

[jotak]

Upstream builds and releases are done through GitHub worklows:

• Every push to main triggers an OCI image build, which is pushed to quay.io.
• Releases are triggered by a git tag, and resulting images are pushed as well to quay.io.

The release process is described here. Some manual steps are involved to publish release notes and the Helm chart.

The on-push builds may remain as is, but we need to secure the release builds by:

• Generating SBOM
• Signing images
• Making releases immutable
• Automating the Helm chart generation (optional)