Preparation before demo * Have all the credentials opened * Create one or two apps, do change there (to triger pipeline) and release them (tag in Gitlab) * Precreate Devspaces workspace (so the images are pulled) & stop it (1 workspace limit is there) * Have tabs opened: * Developer Hub * Quay * ACS * DevSpaces? Red Hat Trusted Artifact Signer (RHTAS) - used for signing & verifying software artifacts. Productized sigstore Red Hat Trusted Profile Analyzer (RHTPA) - Productized guac SLSA - Supply Chain Levels for Software Artifacts # Dance demo playbook 1. Open RHDH & login 2. ? Show existing catalog 3. Create new * Go through GPT 4. Clone source code locally (or use DevSpaces) 5. Run `mvn quarkus:dev` 6. Do some changes to source code * Test * Commit * Push 7. Pipeline is started * Observe pipeline 9. Go to another app and show already finished pipeline * Explain steps briefly * Package * Source code scan * Build * full build with signatures, attestations, SBOM generation & upload * acs-image-scan - CVEs from ACS stnadpoint * acs-image-check - Policies from ACS 10. Go back to the original app * Hopefully it's already built at this time. * Do a release - Tag in gitlab. If build is not ready - do a release on some other app * The EC validates SLSA levels (validates the attestations, signitures, provenance etc.) and can block release 11. This is basically it 12. Bonus - Go to the editor again and add vulnerability and show Dependency analysis ``` <dependency> <groupId>org.apache.struts</groupId> <artifactId>struts2-core</artifactId> <version>2.5.2</version> </dependency> ```