asraa
asraa
> In pre-submit there is no provenance to verify, so do we need this special case? Do we expect to give users an Go API for their pre-submits? Sorry, i...
> What do you mean? I can only test the e2e repo exception for using a non-tagged builder in verifier tests before we tag one for release. (As in, I...
> There may be use cases where the TRW repo wants to call their own TRW to cut a release too Yes... I was thinking there might a case like...
That would restrict them from only being able to test `slsa-verifier` inside the workflow. It's a little restrictive but maybe that's a good thing! That ensures that someone doesnt download...
How do you think we should handle this before we officially GA delegator? (All current TRW writers are calling `@main`). Is it possible to use release another `0.0.3` tag (which...
Other convo: * Make it clear that user needs to specify https:// * Request full Builder ID until someone asks about pinning trust on just the org or repo
YES! If we are OK with this I'd love to enhance the package API: https://github.com/slsa-framework/slsa-verifier/issues/422 @behnazh-w curious if you have feedback here. I've been holding off on library updates because...
deadcode is deprecated and replaced by unused. just FYI
> Yeah, we can just remove it and varcheck (though I see you removed it already) since we already have unused enabled. Weirdly enough, it still seemed to be working....
We can do this. It requires regenerating some of the older testcases that didn't have SCT's added by default.