asraa
asraa
Awesome, sorry about that! @jeffmendoza and I can make a PR for the configuration YAML
Can I try this one? One thing I can't figure out is if it should be merged into Token Permissions and that be renamed, or totally separate like "Workflow Patterns"
> how about the scenario where ref is used and permissions are set to XXX:write but XXX is not contents or packages? maybe i'm missing something but isn't even read...
Yeah! That's correct. They're unsigned, just useful for extra metadata that might help for location or organization. LGTM
Hey! Ah sorry, originally, we wanted to add tags on who created the attestation (e.g. this came from a github reusable workflow), and use that as a hint to verify,...
`cosign inspect` would also allow someone to make policy based on what TUF metadata was used. e.g. can we include the Rekor/Fulcio repository name included? Even if your client accepts...
Hey @tonistiigi - thanks for the issue! > Could imagine a case where untrusted party has managed to trigger a workflow run on their terms and then tries to make...
Ah sure! Sorry I was OOO until I got the ping :)
> Having a method to determine the correct Rekor pubs sounds generally useful outside of cosign. Can we add this to sigstore/sigstore and just call it from cosign? That's the...