Aditya Sirish

I also want to plug SLSA provenance generated for NPM packages. Eg: https://search.sigstore.dev/?logIndex=33351527 (see "Attestation")

> I see the predicateType as the thing to match with our current messages. In other words; is there a suitable predicateType that fits our current message payload. I have...

I meant to post this here but left it on the SLSA thread by mistake: I don't know of GitHub's support for this but last I checked, there's a [4...

Perhaps `gitCommit` should be replaced with `gitCommitSha1` and `gitCommitSha256` options so we avoid this altogether.

We can also use that to set policies more easily in future to only allow SHA-256 git repos (without having to check the length for each entry).

Hi @AdamZWu, have you looked at in-toto layouts? They're the counterpart to an in-toto attestation that define the steps in a supply chain and _who_ can perform each step, identified...

> Have we given any thought tho how this interacts with https://github.com/in-toto/attestation/issues/124 and https://github.com/in-toto/attestation/issues/124#issuecomment-1488677973. cc @colek42 I think they're complementary. The review predicate can apply to sources recorded in links...

I've added a new field to the VCS one called `target` that records the base branch and its state. This is, IMO, valuable when judging a changeset as it matters...

cc @marcelamelara

Side note: does this belong in https://github.com/secure-systems-lab/dsse, apart from any changes to in-toto's media type as a consequence of a DSSE change?