Suggestions for better supply chain attestation #210
Description
Hi there!
Thanks for building this image. I see that the latest tag seems to be built on cron schedule without any associated Github tag or reference.
It's not super great from a supply chain perspective since we can't easily trace back the origin of the image to a specific source code.
Couple of recommendations, take what you want:
- Add the commit sha to the annotation of the image (allow easy tracking of the source)
- Create a new patch tag on github for every push on latest (+add that tag in annotations)
- Add a
3.9and3tag so people can stick to a minor/major but also get the patches
Thanks!