laurentsimon

`repo` is either public read or write, and I never remember which it is. :)

it's per-user, unfortunately

what do you mean by ORG token? I'm not aware of them. Do they have specific features? Note: we could also create a few "bot" accounts, if that's possible without...

definitely helpful. I did not do it to simplify the workflows, but I agree it's needed to catch other errors.

I'm still actively updating https://github.com/slsa-framework/example-package/tree/main/.github/workflows. I have a couple more to add then I will start adding adversarial e2e tests (caller workflow tampers with the artifact registry we use to...

most TODOs in the e2e-verify.sh are done or cannot be done until we update the verifier (https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e-verify.sh#L176) or cut a release for the verifier (https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e-verify.sh#L177). The other TODOs need to...

@susperius thoughts?

I think the serializer API takes care of it, it takes as input `recompute_paths`, more generally it takes as input whatever we decide in https://github.com/sigstore/model-transparency/issues/160.

Good observation, I think @mihaimaruseac had a related comment in https://github.com/sigstore/model-transparency/issues/172#issuecomment-2122898110 I think it depends what level of abstraction we're talking about: the underlying (traditional) hash engine (sha256, etc), the...

The keyless flow will be handled by `SigstoreSigner` / `SigstoreVerifier` (with optional fulcio / reko parameters for private developments). The `PKISigner` / `PKIVerifier` is exclusively for "private" PKI deployment, ie...