laurentsimon
laurentsimon
This pull request proposes a Deployment Attestation, following the process outlined by [ITE-9](https://github.com/in-toto/ITE/tree/master/ITE/9). The purpose of this attestation is to authoritatively bind an artifact to a deployment environment. This allows...
Fix the renovate config to ignore example-trw version bumps See reasoning https://github.com/slsa-framework/example-package/pull/244#issuecomment-1648267564 Dismissing the next PRs will probably be enough @mihaimaruseac @ianlewis
I updated the Action by copying the old Action (https://github.com/slsa-framework/example-package/tree/main/.github/actions/tamper-artifact) into a new one (https://github.com/slsa-framework/example-package/tree/main/.github/actions/tamper-artifact-new). Once it all works, we can delete the old one and rename the new one.
We currently only verify at HEAD https://github.com/slsa-framework/example-package/blob/main/.github/workflows/scripts/e2e.gcb.default.verify.sh#L17
I added https://github.com/slsa-framework/example-package/blob/main/.github/workflows/e2e.generic.schedule.main.multi-subjects.slsa3.yml temporarily to test verification of multiple subjects. It currently calls the verification scripts 3 times, meaning that it compiles the verifier 3 times. We need to update...
My PAT is being rate-limited. (it's also used for scorecard weekly cron). We need some more donation. We could have a GENERIC_BLAZE_TOKEN, GENERIC_TOKEN, etc from different people /cc @ianlewis @asraa
We need to share the scripts between the main repo and this one to avoid wasting time updating each independently. See https://github.com/slsa-framework/slsa-github-generator/issues/26
We have default `DEFAULT_VERSION` used in workflows that release. We need to validate there are unique to each workflow.