ChristianCiach

We use "one realm per namespace", so we don't encounter this issue, since we are just deploying our job for each namespace separately. This doesn't sound like an option to...

Should this issue be closed? The MR has been merged well over a year ago.

We've used the above workaround for quite a while with good success: ```yaml apiVersion: kbld.k14s.io/v1alpha1 kind: Config minimumRequiredVersion: 0.17.0 overrides: - image: nginx:1.14.2 newImage: nginx:1.14.2 preresolved: true ``` But now...

Yeah, I also don't have a very good idea how kbld should handle this case. I actually don't need this fixed, because I don't actually need an imgpkg lockfile. I...

No, I didn't even know about this flag's existence! Thank you, I will try this next week at the latest and will report back then.

@joaopapereira Thank you, that's exactly what I was looking for! I don't know how I could overlook this option.

This seems to be obsolete now that https://github.com/argoproj/gitops-engine/pull/560 has been merged, I think.

> `zot` is positioned to be a good fit in the OCI ecosystem, which means one builds OCI natively [1], signs OCI [2][3], and pushes/pulls OCI to/from zot. As it...

After reading this and related issues and PRs, I want to challenge the definition of what it even means to be "vendor neutral". It seems to be the interpretation of...

@rchincha That's because cosign only implements (guarded behind an experimental flag) OCI support for signatures and sboms, but not for attestations. See https://github.com/sigstore/cosign/issues/1397#issuecomment-1431067711 Unfortunately there has been absolutely no progress...