chore: update contracts in chainloop oss (#1506)

Signed-off-by: Jose I. Paris <[email protected]>

.github/workflows/contracts/chainloop-chainloop-github-release.yaml

@@ -1,14 +1,21 @@
+# contract used in chainloop-vault-release workflow
 schemaVersion: v1
 policies:
-  materials:
-    - ref: sbom-with-licenses
-    - ref: sbom-freshness
-    - ref: sbom-banned-licenses
-      with:
-        licenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later
-    - ref: sbom-banned-components
-      with:
-        components: [email protected]
   attestation:
-    - ref: sbom-present
-    - ref: source-commit
+    - ref: source-commit
+policyGroups:
+  - ref: sbom-quality
+    with:
+      sbom_name: cas-cyclonedx
+      bannedLicenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later
+      bannedComponents: [email protected]
+  - ref: sbom-quality
+    with:
+      sbom_name: cli-cyclonedx
+      bannedLicenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later
+      bannedComponents: [email protected]
+  - ref: sbom-quality
+    with:
+      sbom_name: controlplane-cyclonedx
+      bannedLicenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later
+      bannedComponents: [email protected]

.github/workflows/contracts/chainloop-docs-release.yml

@@ -1,3 +1,4 @@
+# Contract used in chainloop-docs-release workflow
 schemaVersion: v1
 runner:
   type: GITHUB_ACTION
@@ -6,20 +7,17 @@ materials:
     name: built-site
     optional: false
     output: true
-  - type: SBOM_CYCLONEDX_JSON
-    name: sbom-cdx
-    output: false
-  - type: SBOM_SPDX_JSON
-    name: sbom-spdx
-    output: false
 policies:
   attestation:
     - ref: source-commit
-  materials:
-    - ref: sbom-present
-    - ref: sbom-banned-licenses
-      with:
-        licenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later
-    - ref: sbom-banned-components
-      with:
-        components: [email protected]
+policyGroups:
+  - ref: sbom-quality
+    with:
+      sbom_name: sbom-cdx
+      bannedLicenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later
+      bannedComponents: [email protected]
+  - ref: sbom-quality
+    with:
+      sbom_name: sbom-spdx
+      bannedLicenses: AGPL-1.0-only, AGPL-1.0-or-later, AGPL-3.0-only, AGPL-3.0-or-later
+      bannedComponents: [email protected]

.github/workflows/contracts/chainloop-vault-codeql.yml

@@ -1,3 +1,4 @@
+# Contract for chainloop-vault-codeql workflow
 schemaVersion: v1
 runner:
   type: GITHUB_ACTION
@@ -8,8 +9,3 @@ materials:
 policies:
   attestation:
     - ref: source-commit
-  materials:
-    - ref: vulnerabilities
-      with:
-        severity: MEDIUM
-    - ref: cves-in-kev

.github/workflows/contracts/chainloop-vault-helm-package.yml

@@ -1,3 +1,4 @@
+# Contract for chainloop-vault-helm-package workflow
 schemaVersion: v1
 runner:
   type: GITHUB_ACTION
@@ -14,3 +15,6 @@ materials:
 policies:
   attestation:
     - ref: source-commit
+  materials:
+    - ref: artifact-signed
+

.github/workflows/contracts/chainloop-vault-release.yml

@@ -1,3 +1,4 @@
+# Contract for the chainloop-vault-build-and-package workflow
 schemaVersion: v1
 runner:
   type: GITHUB_ACTION

.github/workflows/contracts/chainloop-vault-scorecards.yml

@@ -1,3 +1,4 @@
+# Contract for chainloop-vault-scorecards workflow
 schemaVersion: v1
 runner:
   type: GITHUB_ACTION
@@ -8,8 +9,3 @@ materials:
 policies:
   attestation:
     - ref: source-commit
-  materials:
-    - ref: vulnerabilities
-      with:
-        severity: MEDIUM
-    - ref: cves-in-kev