ci(.github)[SEC-1084]: SLSA supply chain security controls

[saisatishkarra]

New

• Unify GH release for insomnia and inso-cli using tag:core@<tag>
• Perform keyless image signing:
  • inso-cli docker image
  • No images for other artifacts are produced
• Signatures for container image signing are published to
  • docker.io/kong/notary : public (for semver tags w/o alpha|beta)
  • docker.io/kong/notary-internal : private alpha|beta tags
• Perform keyless image provenance generation:
  • insomnia binary artifacts
  • inso-cli binary artifacts
  • inso-cli docker image
• Perform repository scanning for SCA and SBOM analyzing root level package-lock.json
• All SBOMs produced from images and repository scanning will be updated as:
  • Github release / tag assets for release / tag event
  • GIthub workflow assets for push / pr for release branches

[saisatishkarra]

@jackkav / @filfreire An alpha release tag / branch is needed to test these changes.

[jackkav]

WS_PATH isn't very clear what WS means, just _PATH would be clearer.

[jackkav]

Also the amount of indirection here makes the scripts hard to read.

[saisatishkarra]

i have removed the INSO_PACKAGE_WS_PATH and INSO_PACKAGE_ARIFACTS_PATH variables and replaced with ./packages/<env.ISNO_PACKAGE_NAME>/<path>

[saisatishkarra]

Signatures for container image signing are published to:

1. docker.io/kong/notary : public (for semver tags w/o alpha|beta)
2. docker.io/kong/notary-internal : private repo (alpha|beta) tags

@jackkav LMK if the alpha and beta tags are considered for external use and the signatures must be publicly verifiable? In this case, i can point to kong/notary instead of kong/notary-internal for alpha|beta tags

[jackkav]

lets merge this when we have a spare hour or two to test an alpha and fix any issues.