Goal

The goal of this initiative is to integrate Image Builder with Konflux.

Here's the document that describes the options for integrating.

Requirements

1. Every build shall be orchestrated by Konflux

2. Every build shall have attestation

Tekton chains generate in-toto format attestations and can then be evaluated against a policy to permit or deny a release.{_}
{}Example inspection:{_}
cosign download attestation registry.redhat.io/rhtas-tech-preview/client-server-rhel9:1.0.beta | jq -r '.payload|@base64d'

3. Every build shall have an SBOM
We can likely use/convert osbuild’s manifest.json to the SPDX format/spec. There is also an existing SBOM generator for RHEL we could use as a reference.

4. Every build shall be deterministic
“insofar as the inputs for the build are fully determined in git or by the parameters requesting the build; for example, the build should not pull in different rpm content if you run it one way when the dnf repos contain today's content but then tomorrow pull in different rpm content if you run it the same way when the dnf repos contain tomorrow's content”