Luiz Carvalho
Luiz Carvalho
/lifecycle frozen
Yes! To clarify, this is about making Chains stop signing container images. This is *not* about slsa provenance attestation signatures. Those are unaffected and should continue to be produced and...
Re-opening this as I'm still seeing the issue.
Chains already supports various storage backends. Adding support for Archivista makes sense to me. Relevant code: https://github.com/tektoncd/chains/tree/main/pkg/chains/storage
A variation of this might be the solution to a use case I have just come across. I have a Task that produces at least one file which is stored...
After downgrading to `0.6.0`, I was able to run `guardrails hub install hub://guardrails/detect_pii` successfully.
Thanks for filing this, @wlynch! Overall, I do like the idea of doing something about the current state. We should arrive at a point where we can say anything signed...
@wlynch, I believe your comments have been addressed. Could you have another look?
Somewhat related. It would be great if a single malformed secret was handled more gracefully. I have not been able to have this merged: https://github.com/google/go-containerregistry/pull/1834