asraa
asraa
> So the dry-run would generate the signatures on triggers that support it, and not for triggers like pull_request, or no generation in both cases? I was thinking yes, that...
Definitely let's upload. > I'm wondering if it would help to embed the UUID as part of this proposal https://github.com/sigstore/cosign/issues/1743 I think the most striaghtforward would be to embed the...
It would, that's right. I only say it's better to add cert because that's more understandable than a UUID annotation. On the other hand, I wonder what prevents having custom...
> we could allow folks to specify their own address for rekor/fulcio servers in a config file at the base of the repo like the one slsa-github-generator-go has. The biggest...
Figured it out. I guess at some point (not sure why it wasn't caught before) intermediates became necessary. Adding the fix. I will put out a patch release for v1.0...
This should be fixed in the patches linked above!
For subject output measurement: this would require one of 1. User specifying some output to measure for subject 2. Measure the output files of some workflow directly I like (2)...
I guess I can't merge against v0.0.2 tag...
Hey! Good question -- this was to fix the v0.0.2 builder, but we don't hav e a release branch that I was able to push the fixes to. We can...
I LOVE THIS IDEA. This would make it foolproof to setup trusted builders. Which is more important than distributing builders :)