Billy Lynch
Billy Lynch
Thanks for tackling this! Initial feedback is this looks good - I'd probably back off labeling AppID as legacy at least for now based on this part of the blog...
/reopen /lifecycle froze
/lifecycle frozen
I'm generally fine with this as long as it's gated by config! Is the idea roughly to dump the Run object as it's own intoto predicate? Might be worth throwing...
https://github.com/chainguard-images/images/pull/405
cc @adityasaky @puerco @TomHennen @patzielinski
I'm not more worried about users fetching predicate data without checking the signature - it's just as easy to `cat | jq .payload | base64 -d` that I don't think...
FWIW I'm not strongly tied to the existing storage setup, mainly wanted to provide some context as to why those choices were originally made. I'm open to storing the whole...
> Maybe an approach we can take is to split the Chains controller, one part of it deals with generating and signing SLSA Provenance, while another deals with image signatures....
I'd recommend against using `tekton-nightly` out of paranoia that tests might gain unintended access to other dogfooding resources. My preference would be to use a new project and/or use [Artifact...