asraa

> Agreed, I think we will want to support properly in the future via a rekor address/port + public key input so we can support private rekor servers. All set....

> BTW, I think in a PR on Sigstore, Bob commented that rekor staging instance is unstable. So can we reliably use it? Hmmm :/ I do know that there...

> Alright, if it's moot shall we close it and take the commits for using a private Rekor? I can close it! I think we want both private Rekor and...

I think we should include the SLSA material for actions. Unless we can re-use a GitHub workflow SBOM-maker somewhere. I think the go builder should generate SBOM eventually, and we...

How can we also augment the provenance for custom info if they want to use this in a particular ecosystem? Maybe there are paritcular fields that people want to pass...

Exactly that! Sorry, context was that cosign has an action called `cosign-installer` that installs the binary into the workspace to use cosign CLI.

It is true that this happens because of the `pull_request` trigger. Because of this, the workflow can't access the OIDC token required to create the Fulcio issued certificate. Can we...

That would be an easy fix, we can modify `IsPresubmitTests()`: https://github.com/slsa-framework/slsa-github-generator/blob/1a55da84338004ca26d38b941483c89ab93a695d/internal/utils/presubmits.go#L20 @laurentsimon any oppposition to allowing all `pull_request` triggers here?

> pull_request is already listed, is it not? Must be `pull_request` AND this repository, I can change to remove the AND

Yes, exactly: only if a dry-run input option is passed in.