Jason Hall

+1, but we should depend on cosign SDK packages instead of it's CLI commands. We would also need to figure out what flags from cosign we want to bring over...

This is likely currently blocked on refactoring/rewriting the sigstore Go client to trim its dependencies and simplify the interface. This is closely related to (and likely blocked on) #357, since...

Seems related to the removal of watch mode in #585 -- there was a lot of fiddly concurrency involved in there before, and removing it may not have cleaned everything...

Cosign has also explored adding a CLI to resolve image references in a Dockerfile so they're more reproducible/verifiable: see https://github.com/sigstore/cosign/issues/707 and PR https://github.com/sigstore/cosign/pull/1120 If there was one reliable, canonical way...

This change wouldn't cache popular node packages, just the layers of the official node image, sorry.

Oh sorry I misunderstood your comment. Yeah, caching `node` and some popular versioned tags should make them faster to build images on top of.

You might be able to just merge https://github.com/GoogleCloudPlatform/cloud-builders/pull/504, if nobody is still using the special-case logic.

cc @jonjohnsonjr

I would recommend using `google/cloud-sdk` image instead, which upgrades more often and supports tags in case you need to pin to an older version (`google/cloud-sdk:190.0.0`)

It's [`google/cloud-sdk`](https://hub.docker.com/r/google/cloud-sdk/) on Dockerhub.