docs(verify-artifacts): fix stale image-signing table and rebrand Replicated SDK references#1044
Merged
Merged
Conversation
- Add `thv` to the _release-image.yml row — it's signed and vex-attested just like operator/proxyrunner, but was missing from the table. - Move Envoy Gateway, Envoy Ratelimit, and Presidio out of the "third-party, not re-signed" bucket into the _release-image-repackaged.yml row. Since stacklok/stacklok-enterprise-platform#2332 these are repackaged and Stacklok-signed (signature + SBOM + provenance + OpenVEX) like ai-gateway-controller/extproc, so the old guidance to check the upstream publishers' signatures instead was actively wrong. - Correct the Replicated SDK note: it isn't rewritten through image-proxy.stacklok.com at all (unlike every other image on this page) — it's pulled directly from proxy.replicated.com. It remains the only genuine third-party passthrough image. - Add thv/envoy-gateway/envoy-ratelimit/presidio-analyzer to the "verify across all images" loop. Verified live against v0.7.0 through the actual customer path (image-proxy.stacklok.com with a real license) for every image touched by this change: signature, SBOM, SLSA provenance, and OpenVEX attestations all present and valid. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
… License Manager The umbrella chart set nameOverride: stacklok-license-manager on the Replicated SDK subchart (stacklok/stacklok-enterprise-platform#2167), renaming its Deployment/Service in-cluster. Update the display name here to match what customers actually see via `kubectl get pods`, and note that the underlying image name/pull path are unchanged (that's the vendor's own artifact, not ours to rename). Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
ChrisJBurns
approved these changes
Jul 17, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The "Which images are signed" table in the artifact-verification guide had drifted from reality:
thv(the CLI/API server image) was missing entirely — it's built and signed via_release-image.ymljust likeoperator/proxyrunner._release-upstream-repackaged.yml, same asai-gateway-controller/ai-gateway-extproc. Telling a customer to check the upstream publisher's signature instead of Stacklok's for these images was actively misleading.connector-gatewayis intentionally not added — it's still pre-release and not yet customer-facing.A follow-up commit also rebrands the "Replicated SDK" display name to "Stacklok License Manager" throughout the page, matching stacklok/stacklok-enterprise-platform#2167, which set
nameOverride: stacklok-license-manageron the SDK subchart — the component now appears asstacklok-license-manager-*inkubectl get pods, notreplicated-*. The underlying image name/pull path (replicated-sdk-image, pulled directly fromproxy.replicated.com, not throughimage-proxy.stacklok.com) is unchanged and called out explicitly — that's the vendor's own artifact name, not ours to rename. It remains the only genuine third-party passthrough image in the table.Type of change
Verification
Verified live against the actual v0.7.0 release, through the real customer path (
docker login image-proxy.stacklok.comwith a live license, thencosign verify/cosign verify-attestationthrough the proxy) — not just against the origin registry. For every image touched by the first commit (thv,envoy-gateway,envoy-ratelimit,presidio-analyzer), confirmed all four artifacts present and valid: signature, SBOM (spdxjson), SLSA provenance (slsaprovenance1), and OpenVEX.The rebrand commit is a display-name/prose change only (no new commands to verify) — confirmed the new pod-name claim against the vendored Replicated SDK chart's
_helpers.tpl(nameOverridereplaces the resource name outright, no prefix).This follows up on a customer report of a missing OpenVEX attestation, root-caused and fixed in stacklok/stacklok-enterprise-platform#2477 (a staging-tag race in the release pipeline); this PR corrects the docs' image inventory and naming that were found stale while validating that fix.
Related issues/PRs
stacklok/stacklok-enterprise-platform#2477
stacklok/stacklok-enterprise-platform#2167
stacklok/stacklok-enterprise-platform#2500 (same rebrand, install-helm.md)
Submitter checklist
Content and formatting