Ramon Petgrave
Ramon Petgrave
Additional discussion, considering using an alternative identity token within PRs - https://github.com/slsa-framework/slsa-github-generator/pull/3777#discussion_r1795254767
One reason to keep it: Cosign, by default would create an ephemeral key for signing, if the user does not specify a KMS (with an existing stored key) to use....
@haydentherapper yes, I edited my comment to clarify: " if the user does not specify a KMS (with an existing stored key)"
@laurentsimon @ianlewis @slugclub
@malancas Thansk for replying. I could consider using OPA, but it seems very heavyweight, since the CLI almost has support for what I'm requesting, especially around jq. Perhaps you could...
https://github.com/cli/cli/issues/9590#issuecomment-2389674636 is closed so I'll reply here. > As far as I understand it, gh attestation verify is not a tool that that verifies SLSA provenance. If verifying SLSA provenance...
@phillmv Thanks for looking into this. SLSA attestations are about much more than being able to validate that an artifact came from a given repository. You can summarize the spec...
@phillmv, any updates?
@phillmv Thanks for taking care of this.
This could get tricky to plan the arguments to `actions/checkout` in the various scenarios, particularly (1) and (3). For (1) we cannot just use all `default` because it would try...