Luiz Carvalho

I see that the fix is in main and 0.40.2, but the integration tests are still failing. The integration tests use the nightly build which as of today is `v20221004-5d34b0c783`....

Could this be a good place to store information about the Task (for TaskRun attestations) and the Pipeline (for PipelineRun attestations) definitions? Currently, this information is not stored in the...

@chuangw6, I remember a comment from @priyawadhwa that if we populate configSource, we shouldn't update buildConfig. Maybe I misunderstood the comment?

Since there's agreement in deprecating `taskRun.spec.taskRef.bundle` and `pipelineRun.spec.pipelineRef.bundle`, should we add the "bundle" resolver to the list of out-of-box resolvers?

Looks like this was resolved in https://github.com/containers/podman-compose/commit/27d3cafb7b33fd50c133004e7ebb5ba9f201bf90 ?

Why not just hash the whole VCS directory and use whatever hash algorithm the user wants? This would probably have to exclude things like the `.git` directory which may(?) contain...

/lifecycle frozen (This is an important feature that we should add to Chains, thus adding a lifecycle exemption).

If a TaskRun produces the SBOM, it seems odd to have Chains blindly sign it. This opens the door to problems that could reduce the trust of such signed SBOMs....

This has an impact on `afero.Walk` as it relies on `IsDir()`. If you only care about following the symlink of the root directory **and** you're using `OsFs`, then using [EvalSymlinks](https://pkg.go.dev/path/filepath?utm_source=godoc#EvalSymlinks)...

An alternative is to introduce a new Chains configuration to ignore any resource created prior to a given date, e.g. ```yaml ignore-older-resources: 2023-01-01T00:00:00Z ``` That could potentially give a hook...