Tim Ellison

The majority of the [upload-artifact query](https://github.com/search?q=org%3Aadoptium%20actions%2Fupload-artifact&type=code) hits are false positives. - many are in the mirrored OpenJDK repositories (i.e., `adoptium/jdk8u`, `adoptium/jdk11u`, etc.) and these are not used, and are configured...

All the [download-artifacts query](https://github.com/search?q=org%3Aadoptium+actions%2Fdownload-artifact&type=code) hits are false positives. - most are in the mirrored OpenJDK repositories (i.e., adoptium/jdk8u, adoptium/jdk11u, etc.) and these are not used, and are configured not to...

I'd like to separate out the basic mechanism of recording verification build attestations from the details of a visual depiction of a verification (tick marks etc), and the policy of...

[Sigstore](https://www.sigstore.dev/) seems to be a center of gravity in the secure supply chain processes. We should seriously consider using the formats supported by [Rekor](https://github.com/sigstore/rekor) to be able to use that...

> > > I think the Target->component entry should have the full name of the file (e.g. OpenJDK21U-jdk_x64_linux_hotspot_21.0.5_11.tar.gz) > > > > > > Not opposed to the suggestion, but...

> I wonder if some third party tools still reference the old repository. Is there a way to find out? Don't know. JFrog may be able to provide us with...

Looking at references to the AdoptOpenJD repo. Most I see are Q&A fora where I don't see much value in opening up a long finished thread to update people. Maybe...

> One good option would be to crawl all public GitHub repos for projects referencing adoptopenjdk.jfrog.io I see [over 2K code references](https://github.com/search?q=adoptopenjdk.jfrog.io&type=code) in GitHub repos, although if you filter that...

Thanks for the comment @karianna. I agree with that. The Secure Workflow tool is handy to figure out/check the action hashes and permissions to commit (though now I've done a...

See also https://github.com/eclipse-openj9/openj9/issues/17759