dlorenc

SBOM is somewhat orthogonal - it's a thing that can be attested just like a binary blob. I think what Asra proposed here would just work with SBOMs as well.

I think there's some confusion in the upload flow today that needs to get resolved as we remove the COSIGN_EXPERIMENTAL variable. Right now that implies both uploading to the log...

Will take a look!

> IMHO, it adds extra flexibility to a system for people who might not want to write CUE or Rego policies. Is there a specific system or use case in...

I don't really know if there's anything we can do here. I've noticed it too and the Github pull metrics seem inflated way beyond even what I would expect for...

I haven't really played around with this code myself, is it just a matter of hooking up the extra flag?

Are there any updates here? Are we still considering this as a blocker for 1.0?

IMO its debatable on whether this is breaking or not, we're not changing the API and only disabling things that shouldn't happen anyway. I'm -1 on this being a 1.0...

cc @colek42

Hmm, over here it says it might be in all job tiers: https://docs.gitlab.com/ee/ci/secrets/