Matt Moore

Also notable is that we do incorporate the protocol (in a sense) when we are calculating the target address here: https://github.com/knative/serving/blob/2f7b6dbeaf252f736c272d77be7e839db8bb30ab/pkg/reconciler/autoscaling/kpa/scaler.go#L124-L130 However, this doesn't actually influence the request's `Proto` field,...

cc @mlieberman85 who I was telling about this race the other day.

We should track the reference type work in GGCR's `pkg/registry` to test against. If we can flag this on/off then we can also test fallback.

There isn't a form of `verify-attestation` that checks all/multiple predicate types. The predicate type defaults to `custom`, but `verify-attestation` was previously reporting success (for ANY predicate type) if there were...

Here is the GHSA which contains more: https://github.com/sigstore/cosign/security/advisories/GHSA-vjxv-45g9-9296

I would recommend adding an `all` value for `--type`, and (personally speaking) would also be fine with that being the default. However, to illustrate my point: ``` cosign verify-attestation foo...

This gets doubly true when policy arguments are passed to run over attestations matching the `type` 😅 For `--type=all` we would need to think through those arguments behaviors, and possible...

Looks like this didn't catch a few places in `TestYaml` and `TestExample`. The two flavors of issue I see in those are: 1. `image: ko://.../git-init` and `script:` that needs root...

For the first issue, I am hoping a simple `runAsUser: 0` on the relevant steps does the trick (running now). For the second issue, the root cause (I believe) is...

If folks are invoking the `git-init` binary, then perhaps we could check the UID and warn for a release that they should `runAsUser: 0` if they need it, or they...