laurentsimon
laurentsimon
We currently only tests verify-token with the v1.0 predicate
We had an issue about it, but I could not find it so I'm creating this new one. 1We need to mask private fields of GH context for privacy reasons:...
We need to verify that that generated provenance is correct. Unit tests and scheduled tests within this repo. The feature was introduced in https://github.com/slsa-framework/slsa-github-generator/pull/2078
We currently don't record the inputs for generators in the `externalParameters` in `verify-token`
We currently shell out to openssl to read the x505 cert info. We can update our code as https://github.com/sigstore/sigstore-js/pull/198#pullrequestreview-1270008968 /cc @asraa
We currently use `externalParameters.workflow` for generators. There is WIP to better define how to report this, and maybe have it under resolvedDependencies with annotations.
We need to verify whether PATs are still needed for private repositories, and update the doc if they are not.
The Action runs scorecard twice: once for the SARIF results, and once to upload the results to the API server. This increases rate limits and is also slower. We need...
Context: Overall we would like to offer a unified CLI / API (as part of https://github.com/google/model-transparency) to sign and verify AI artifacts. We've received interest to support custom PKIs. IIUC,...
See https://github.blog/changelog/2022-12-06-limit-scope-of-npm-tokens-with-the-new-granular-access-tokens/