Vladimir Sitnikov
Vladimir Sitnikov
>any idea what is causing the SSL errors ? It turns out `docker/postgres-head` does not configure SSL at the database side. I suggest skipping HEAD+SSL combo for now, so we...
> I'm pretty sure the server is already smart enough to deal with it on the backend when the socket is terminated The server can't tell if the socket was...
I guess we do not have specific tests for `skip` as we used the default implementation. Sure if we add a custom implementation, we'll need to cover it with tests....
In fact, the current implementation of `reset` resets the cached data, so there's no much value in testing mix of read/mark/reset calls. mark/reset is tested in `org.postgresql.test.jdbc2.BlobTest#markResetStream`
A critical PR is * https://github.com/sigstore/sigstore-java/pull/317 otherwise the generated bundle is just invalid as it misses `signature` field. That would be pretty good, however, you'll need to update `sigstore-java` every...
Of course, you can sign all the jars, poms, and other files via Action. Here's the way you can generate signatures: https://github.com/sigstore/protobuf-specs/blob/16541696de137c6281d66d075a4924d9bbd181ff/java/scripts/sign_and_bundle_release.sh#L72
Just in case, the most secure approach would be signing the files within a separate GitHub workflow, so only well-known binaries have access to signing credentials (e.g. OIDC token). In...
One more thing: there's https://github.com/slsa-framework/slsa-github-generator effort to come up with a reusable workflow for creating the attestations.
>Something similar to: >https://github.com/junit-team/junit5/blob/700c2d4f25b48bfc4970f99d3198af5e8c5e3f37/.github/workflows/main.yml#L68 The sad thing is that you launch Gradle with all the third-party plugins with Sonatype credentials. In the ideal world, we would like to expose credentials...
>[Delete attestations](https://github.com/orgs/community/discussions/122028#discussioncomment-9345999) generated by pull requests In practice, you don't want allowing `id-token: write` for pull request builds as they might generate attestations that look like "produced by junit-team". https://github.com/sigstore-conformance/extremely-dangerous-public-oidc-beacon...