feat(docs): update contract examples

docs/examples/contracts/container-image-sbom/azure-pipeline.yaml

@@ -1,13 +1,17 @@
-schemaVersion: v1
-
 # Require both a container image reference and a CycloneDX SBOM with the attestation happening in Azure Devops Pipeline
-materials:
-  - type: CONTAINER_IMAGE
-    name: image
-    output: true
+apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: azure-pipeline
+  description: Require both a container image reference and a CycloneDX SBOM with the attestation happening in Azure Devops Pipeline
+spec:
+  materials:
+    - type: CONTAINER_IMAGE
+      name: image
+      output: true
 
-  - type: SBOM_CYCLONEDX_JSON
-    name: sbom
+    - type: SBOM_CYCLONEDX_JSON
+      name: sbom
 
-runner:
-  type: "AZURE_PIPELINE"
+  runner:
+    type: "AZURE_PIPELINE"

docs/examples/contracts/container-image-sbom/github.yaml

@@ -1,13 +1,17 @@
 # Require both a container image reference and a CycloneDX SBOM with the attestation happening in GitHub actions
-schemaVersion: v1
+apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: github
+  description: Require both a container image reference and a CycloneDX SBOM with the attestation happening in GitHub actions
+spec:
+  materials:
+    - type: CONTAINER_IMAGE
+      name: image
+      output: true
 
-materials:
-  - type: CONTAINER_IMAGE
-    name: image
-    output: true
+    - type: SBOM_CYCLONEDX_JSON
+      name: sbom
 
-  - type: SBOM_CYCLONEDX_JSON
-    name: sbom
-
-runner:
-  type: "GITHUB_ACTION"
+  runner:
+    type: "GITHUB_ACTION"

docs/examples/contracts/container-image-sbom/gitlab.yaml

@@ -1,13 +1,17 @@
-schemaVersion: v1
-
 # Require both a container image reference and a CycloneDX SBOM with the attestation happening in Gitlab
-materials:
-  - type: CONTAINER_IMAGE
-    name: image
-    output: true
+apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: gitlab
+  description: Require both a container image reference and a CycloneDX SBOM with the attestation happening in Gitlab
+spec:
+  materials:
+    - type: CONTAINER_IMAGE
+      name: image
+      output: true
 
-  - type: SBOM_CYCLONEDX_JSON
-    name: sbom
+    - type: SBOM_CYCLONEDX_JSON
+      name: sbom
 
-runner:
-  type: "GITLAB_PIPELINE"
+  runner:
+    type: "GITLAB_PIPELINE"

docs/examples/contracts/csaf/contract.yaml

@@ -1,14 +1,19 @@
-schemaVersion: v1
-materials:
-  # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#45-profile-5-vex
-  - type: CSAF_VEX
-    name: vex-disclosure
-  # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#43-profile-3-informational-advisory
-  - type: CSAF_INFORMATIONAL_ADVISORY
-    name: informational-advisory
-  # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#44-profile-4-security-advisory
-  - type: CSAF_SECURITY_ADVISORY
-    name: security-advisory
-  # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#42-profile-2-security-incident-response
-  - type: CSAF_SECURITY_INCIDENT_RESPONSE
-    name: security-incident-response
+apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: contract
+  description: Contract for CSAF advisories and VEX
+spec:
+  materials:
+    # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#45-profile-5-vex
+    - type: CSAF_VEX
+      name: vex-disclosure
+    # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#43-profile-3-informational-advisory
+    - type: CSAF_INFORMATIONAL_ADVISORY
+      name: informational-advisory
+    # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#44-profile-4-security-advisory
+    - type: CSAF_SECURITY_ADVISORY
+      name: security-advisory
+    # Refs: https://docs.oasis-open.org/csaf/csaf/v2.0/os/csaf-v2.0-os.html#42-profile-2-security-incident-response
+    - type: CSAF_SECURITY_INCIDENT_RESPONSE
+      name: security-incident-response

docs/examples/contracts/empty/azure-pipeline.yaml

@@ -1,5 +1,10 @@
 # Empty Chainloop contract valid for a workflow run in a Azure Pipeline
-schemaVersion: "v1"
 # See https://docs.chainloop.dev/reference/operator/contract#runner-context
-runner:
-  type: "AZURE_PIPELINE"
+apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: azure-pipeline
+  description: Empty Chainloop contract valid for a workflow run in a Azure Pipeline
+spec:
+  runner:
+    type: "AZURE_PIPELINE"

docs/examples/contracts/empty/generic.yaml

@@ -1,2 +1,7 @@
 # Empty Chainloop contract valid for any runner type
-schemaVersion: "v1"
+apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: generic
+  description: Empty Chainloop contract valid for any runner type
+spec:

docs/examples/contracts/empty/github.yaml

@@ -1,5 +1,10 @@
 # Empty Chainloop contract valid for a workflow run in a Github Action
-schemaVersion: "v1"
 # See https://docs.chainloop.dev/reference/operator/contract#runner-context
-runner:
-  type: "GITHUB_ACTION"
+apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: github
+  description: Empty Chainloop contract valid for a workflow run in a Github Action
+spec:
+  runner:
+    type: "GITHUB_ACTION"

docs/examples/contracts/empty/gitlab.yaml

@@ -1,5 +1,10 @@
 # Empty Chainloop contract valid for a workflow run in a Gitlab pipeline
-schemaVersion: "v1"
 # See https://docs.chainloop.dev/reference/operator/contract#runner-context
-runner:
-  type: "GITLAB_PIPELINE"
+apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: gitlab
+  description: Empty Chainloop contract valid for a workflow run in a Gitlab pipeline
+spec:
+  runner:
+    type: "GITLAB_PIPELINE"

docs/examples/contracts/helm-chart/contract.yaml

@@ -1,4 +1,9 @@
-schemaVersion: v1
-materials:
-  - type: HELM_CHART
-    name: helm-chart
+apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: contract
+  description: Contract for Helm chart attestation
+spec:
+  materials:
+    - type: HELM_CHART
+      name: helm-chart

docs/examples/contracts/sarif/sarif.yaml

@@ -1,4 +1,9 @@
-schemaVersion: v1
-materials:
-  - type: SARIF
-    name: static-output
+apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: sarif
+  description: Contract for SARIF static analysis output
+spec:
+  materials:
+    - type: SARIF
+      name: static-output

docs/examples/contracts/sbom/cyclonedx.yaml

@@ -1,7 +1,12 @@
-schemaVersion: v1
-materials:
-  # SBOMs will be uploaded to the CAS Backend of your choice, such as an OCI registry and referenced in the attestation
-  # Additionally they can be sent to any downstream integration for analysis
-  # i.e https://docs.chainloop.dev/guides/dependency-track/
-  - type: SBOM_CYCLONEDX_JSON
-    name: skynet-sbom
+apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: cyclonedx
+  description: Contract for CycloneDX SBOM attestation
+spec:
+  materials:
+    # SBOMs will be uploaded to the CAS Backend of your choice, such as an OCI registry and referenced in the attestation
+    # Additionally they can be sent to any downstream integration for analysis
+    # i.e https://docs.chainloop.dev/guides/dependency-track/
+    - type: SBOM_CYCLONEDX_JSON
+      name: skynet-sbom

docs/examples/contracts/sbom/sbom-quality.yaml

@@ -1,9 +1,14 @@
 #release-contract
-schemaVersion: v1
-materials:
-  # SBOMs will be uploaded to your artifact registry and referenced by digest in the attestation
-  # Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported
-  - type: SBOM_CYCLONEDX_JSON
-    name: sbom
-policyGroups:
-  - ref: sbom-quality
+apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: sbom-quality
+  description: Contract for SBOM quality checks
+spec:
+  materials:
+    # SBOMs will be uploaded to your artifact registry and referenced by digest in the attestation
+    # Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported
+    - type: SBOM_CYCLONEDX_JSON
+      name: sbom
+  policyGroups:
+    - ref: sbom-quality

docs/examples/contracts/sbom/spdx-cyclonedx.yaml

@@ -1,10 +1,15 @@
-schemaVersion: v1
-materials:
-  # Software Bill Of Materials (SBOMs) will be uploaded 
-  # to your artifact registry and referenced by digest in the attestation
-  # Both SPDX
-  - type: SBOM_SPDX_JSON
-    name: skynet-sbom
-  # and CYCLONEDX SBOMs are supported
-  - type: SBOM_CYCLONEDX_JSON
-    name: skynet-sbom-cyclonedx
+apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: spdx-cyclonedx
+  description: Contract for both SPDX and CycloneDX SBOM attestation
+spec:
+  materials:
+    # Software Bill Of Materials (SBOMs) will be uploaded
+    # to your artifact registry and referenced by digest in the attestation
+    # Both SPDX
+    - type: SBOM_SPDX_JSON
+      name: skynet-sbom
+    # and CYCLONEDX SBOMs are supported
+    - type: SBOM_CYCLONEDX_JSON
+      name: skynet-sbom-cyclonedx

docs/examples/contracts/sbom/spdx.yaml

@@ -1,6 +1,11 @@
-schemaVersion: v1
-materials:
-  # SBOMs will be uploaded to your artifact registry and referenced by digest in the attestation
-  # Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported
-  - type: SBOM_SPDX_JSON
-    name: skynet-sbom
+apiVersion: chainloop.dev/v1
+kind: Contract
+metadata:
+  name: spdx
+  description: Contract for SPDX SBOM attestation
+spec:
+  materials:
+    # SBOMs will be uploaded to your artifact registry and referenced by digest in the attestation
+    # Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported
+    - type: SBOM_SPDX_JSON
+      name: skynet-sbom

docs/examples/contracts/skynet/contract.cue

@@ -1,48 +1,52 @@
-schemaVersion: "v1"
-// Arbitrary set of annotations can be added to the contract and will be part of the attestation
-annotations: [
-	{
-		name:  "version"
-		value: "oss" // if the value is left empty, it will be required and resolved at attestation time
+apiVersion: "chainloop.dev/v1"
+kind: "Contract"
+metadata: {
+	name: "contract"
+	description: "Comprehensive contract for Skynet project in CUE format"
+	// Arbitrary set of annotations can be added to the contract and will be part of the attestation
+	annotations: {
+		version: "oss" // if the value is left empty, it will be required and resolved at attestation time
 	}
-]
-// Three required and one optional materials of three different kinds
-// The output flag indicates that the material will be part of the attestation subject
-materials: [
-	// CONTAINER_IMAGE kinds will get resolved to retrieve their repository digest
-	{
-		type:   "CONTAINER_IMAGE"
-		name:   "skynet-control-plane"
-		output: true
-		// Arbitrary annotations can be added to the material
-		annotations: [
-			{
-				name:  "component"
-				value: "control-plane"
-			},
-			{
-				// The value can be left empty so it can be provided at attestation time
-				name: "asset"
-			},
-		]
-	},
-	// ARTIFACT kinds will first get uploaded to the built-in Content Addressable Storage (CAS)
-	{type: "ARTIFACT", name: "rootfs"},
-	{type: "ARTIFACT", name: "dockerfile", optional: true},
-	// STRING kind materials will be injected as simple keypairs
-	{type: "STRING", name: "build-ref"},
-	// SBOMs will be uploaded to the CAS and referenced in the attestation
-	// Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported
-	{type: "SBOM_CYCLONEDX_JSON", name: "skynet-sbom"},
-  	// CSAF_VEX and OPENVEX are supported
-	{type: "OPENVEX", name: "disclosure"},
-	// And static analysis reports in SARIF format
-	{type: "SARIF", name: "static-out"},
-]
+}
+spec: {
+	// Three required and one optional materials of three different kinds
+	// The output flag indicates that the material will be part of the attestation subject
+	materials: [
+		// CONTAINER_IMAGE kinds will get resolved to retrieve their repository digest
+		{
+			type:   "CONTAINER_IMAGE"
+			name:   "skynet-control-plane"
+			output: true
+			// Arbitrary annotations can be added to the material
+			annotations: [
+				{
+					name:  "component"
+					value: "control-plane"
+				},
+				{
+					// The value can be left empty so it can be provided at attestation time
+					name: "asset"
+				},
+			]
+		},
+		// ARTIFACT kinds will first get uploaded to the built-in Content Addressable Storage (CAS)
+		{type: "ARTIFACT", name: "rootfs"},
+		{type: "ARTIFACT", name: "dockerfile", optional: true},
+		// STRING kind materials will be injected as simple keypairs
+		{type: "STRING", name: "build-ref"},
+		// SBOMs will be uploaded to the CAS and referenced in the attestation
+		// Both SBOM_CYCLONEDX_JSON and SBOM_SPDX_JSON are supported
+		{type: "SBOM_CYCLONEDX_JSON", name: "skynet-sbom"},
+	  	// CSAF_VEX and OPENVEX are supported
+		{type: "OPENVEX", name: "disclosure"},
+		// And static analysis reports in SARIF format
+		{type: "SARIF", name: "static-out"},
+	]
 
-// Env vars we want the system to resolve and inject during attestation initialization
-// Additional ones can be inherited from the specified runner context below
-envAllowList: [ "CUSTOM_VAR"]
-// Enforce in what runner context the attestation must happen
-// If not specified, the attestation crafting process is allowed to run anywhere
-runner: type: "GITHUB_ACTION"
+	// Env vars we want the system to resolve and inject during attestation initialization
+	// Additional ones can be inherited from the specified runner context below
+	envAllowList: [ "CUSTOM_VAR"]
+	// Enforce in what runner context the attestation must happen
+	// If not specified, the attestation crafting process is allowed to run anywhere
+	runner: type: "GITHUB_ACTION"
+}