You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What we were wondering is if we can either donate our e2e testing to the upstream community: we can file issues against sigstore when our tests fail due to verification errors. OR more importantly, sigstore can maintain a list of CRITICAL projects that must continue to satisfy rekor lookups, or cosign verifications, before rolling out any server changes.
Is this possible?
Bazel CI does this for critical projects:
The text was updated successfully, but these errors were encountered:
Hi!
The recent rekor sharding broke our SLSA builders ( slsa-framework/slsa-github-generator#876 (comment)) and @laurentsimon and I were discussing that we have been finding almost all production issues reported in our e2e test suite.
What we were wondering is if we can either donate our e2e testing to the upstream community: we can file issues against sigstore when our tests fail due to verification errors. OR more importantly, sigstore can maintain a list of CRITICAL projects that must continue to satisfy rekor lookups, or cosign verifications, before rolling out any server changes.
Is this possible?
Bazel CI does this for critical projects:
The text was updated successfully, but these errors were encountered: