Facundo Tuesca
Facundo Tuesca
I've been looking into how we can implement this. I've written up the relevant facts about how GitHub and PyPI currently handle OIDC claims, and at the end I specify...
> Is there a reason why we cannot match on `workflow_ref` (the top-level workflow) only? What type of attack are we mitigating by checking `jobs_workflow_ref` as well? The scenario we're...
> @facutuesca and the environment name matching remains the same, right? @webknjaz Yes, the environment check will still be against the `environment` claim sent by GitHub ---- @jaraco > >...
> > If we only match on `workflow_ref` (that is, `ci.yml`), that means all of the workflows there will be able to publish packages. By adding the extra constraint of...
> @facutuesca would you be open to researching this and perhaps adding a smoke test job to our CI with a custom `container:` entry? @webknjaz The issue is due to...
@WilliamStam I think this might be a bug on Gitea's side, since they do seem to support `GITHUB_*` environment variables. See for example https://github.com/go-gitea/gitea/issues/25816, where they fix one of them....
@kj-powell Hi, I can provide one: we're currently finishing up the last remaining hours and have a single task before doing a [1.0 release](https://github.com/sigstore/rekor-monitor/issues/806) for the monitor, which should close...
> The slowest parts of the current linting are curlylint and mypy - neither of which are ruff-supported yet - did your tests exclude these from timings? No, the test...
IMO having those lists of forbidden names is fine, since they are documented on [GitLab's docs](https://docs.gitlab.com/ee/user/reserved_names.html#reserved-project-names). For me the important question is if having such exhaustive checking is worth it....
> I'm still not clear on the status of the dist-inspector plugin type. Is it intended as an actual, supported plugin type for pip? > .... > Rather, we should...