Matt Moore

/lifecycle frozen

I'm guessing this boils down to your usage of github.com/google/go-containerregistry, which we (knative/serving) use for digest resolution. I'd wager a similar workaround to what we have documented here would work...

``` curl https://gitlab.com/.well-known/openid-configuration ``` ```json { "issuer": "https://gitlab.com", "authorization_endpoint": "https://gitlab.com/oauth/authorize", "token_endpoint": "https://gitlab.com/oauth/token", "revocation_endpoint": "https://gitlab.com/oauth/revoke", "introspection_endpoint": "https://gitlab.com/oauth/introspect", "userinfo_endpoint": "https://gitlab.com/oauth/userinfo", "jwks_uri": "https://gitlab.com/oauth/discovery/keys", "scopes_supported": [ "api", "read_user", "read_api", "read_repository", "write_repository", "read_registry", "write_registry", "sudo",...

It looks like it doesn't support configuring `aud` (e.g. to `sigstore`)

That feels like a slippery slope. Once we allow it, it's hard to take back and ~every other piece of Vault OIDC documentation I've seen uses `aud: vault`. Github as...

The general goal is “no bigger”. Same size seems inevitable in such cases, but I think we would all be curious if the apko version was larger than the traditional...

Generally 👍 from me. I like the idea of source-level dependencies for these, certainly by default. I think we could simplify a number of the distroless images using this, especially...

+1 to emitting the rendered version for debugging, that sounds very helpful. Ironically this is what made debugging `#include` palatable in my C++ compiler days, and I was always unhappy...

It would also (ideally) consume `package-lock.json`. I would be happy to hop on a quick hangouts call if you want to know how I was able to do this for...

Yeah, I found your tool after I filed this. I think that essentially what you want is for the repository rule to run this tool (or something like it) automatically....