Joshua Lock

I really like the idea of factoring out common pieces of the reusable workflows, however the GitHub documentation on [Reusing workflows](https://docs.github.com/en/actions/using-workflows/reusing-workflows) states, in the [Limitations](https://docs.github.com/en/actions/using-workflows/reusing-workflows#limitations) section that: > Reusable workflows...

👋 [python-tuf](https://github.com/theupdateframework/python-tuf) maintainer and [sigstore/root-signing](https://github.com/sigstore/root-signing) contributor here. I posted a [message on the #python Slack channel](https://sigstore.slack.com/archives/C024FPJKC6L/p1662561658491689) a few weeks back about some WIP changes I have to implement the certificate...

Great! Let me know how you want to proceed. Given timezone differences, if you want to build on my existing work (or even start afresh with that for inspiration) I'd...

Awesome, look forward to seeing your changes. I'd be more than willing to collaborate in any way that is useful for you and your team. Feel free to ping me...

Thanks for chiming in @asraa! To be clear, are we recommending targets are searched by delegation path **not** by the usage field in custom?

My WIP patches have the known cert filenames hard coded and just retrieve those after refreshing TUF metadata. I can pick up work on those patches after KubeCon next week,...

Closing because we can't automatically bridge from DSSE to the current TUF wrapper because canonical JSON is not valid JSON. The most promising route forward is the in-toto approach which...

#183 is a related issue proposing we create a template security reporting policy for projects to use

Note we added mention of the intent for all requirements to be automatically verifiable in https://github.com/slsa-framework/slsa/pull/133#discussion_r690470200

Issue https://github.com/slsa-framework/slsa/issues/46 "Policy & Verification" is related to this. As is #478 on achieving automatic verification.