asraa

Revisting this: Can we add runner context https://docs.github.com/en/actions/learn-github-actions/contexts#runner-context directly into the provenance? We would need to record the runner context of the build step in the reusable workflow, right? That...

Is this just a transient error? (From the rate limiting issue?) I tried a couple of re-runs, but haven't hit it yet EDIT: or maybe it's a go version? That...

Just adding some context or comments or lessons learned from `cosign`: There's a proposal for a more specified bundle: https://github.com/sigstore/cosign/issues/2131. Depending on your timeline of course, you may just want...

> But I can do that separately and use a bundle generated by cosign instead, if we'd like to keep the diff small(er). I may not necessarily totally us cosign's...

> I also need to check the offline Rekor bundle's consistency against the certificate and signature, since someone could conceivably ask me to verify a completely unrelated (but valid) Rekor...

> the hashedrekord here should have the same layout as the one we POST to Rekor's REST API, right? Plus canonicalization and base64 encoding, of course. Correct. The canonicalization is...

@developer-guy @caarlos0 cc @laurentsimon Hey! As mentioned before, we've been creating trusted builders using reuseable workflows to generate slsa provenance. for golang, we modeled our config after goreleaser. The reusable...

> spec should not approve of the current go-tuf ecdsa format: it seems to be a bug I agree, it seems it was just legacy code. On the other hand,...

Yeah, it's not high priority, but it's a good cleanup.

> Has anybody started work on this yet? Maybe we can integrate the slsa-github-generator as a lib. Hey! Recently @laurentsimon and I have been working on creating an "action wrapper"...