Sambhav Kothari

Would it be better to use cosign? We already use it for signing lifecycle images. FWIW We can also use it with goreleaser now https://goreleaser.com/customization/sign/ (goreleaser also allows for gpg...

@DennisDenuto - we were just talking about this during the office hours today - we will be working on an RFC to start the conversation around cosign integration with buildpacks....

@leshik we have several buildpacks that use layers caches with buildpack 0.7 API and the lifecycle works as intended. The bug is actually in the above provided buildpack implementation. With...

Yes - but it needs to do that each time regardless of whether it found an existing cache or not. Currently it only does that conditionally when it doesn't find...

Created a fix for the BP Author guide at https://github.com/buildpacks/docs/pull/467

This issue can currently only be fixed by maintainers. @samj1912 to figure out a label to tag such issues in the future.

I would like to help out with this if possible. Especially item 2.

Could we instead use syft/grype here btw?

https://github.com/marketplace/actions/anchore-container-scan is the github action that uses grype. You can pass it the lifecycle image directly or the sboms we generate. We can also use syft for the sbom generation...

+1 on @jromero's idea of using project descriptor as the input file, I think it also begets the question that was asked in the builder rfc - how many of...