Pete Wagner
Pete Wagner
**Description** In `cosign dockerfile verify`, verification options like `--certificate` and `--certificate-oidc-issuer` are passed as command-line arguments. This leaves the user burdened with mapping certificate criteria to images externally, and for...
### Describe the feature or problem you’d like to solve Integrate the features announced in https://github.com/cli/cli/releases/tag/v2.49.0 , to attest the artifacts attached to `cli/cli` releases. The only usage of `id-token:`...
### Describe the bug The `attestation verify` feature matches the certificate SAN against the repository name. When the workflow uses a [`workflow_call`/reusable worfklow](https://docs.github.com/en/actions/using-workflows/reusing-workflows), the SAN is the workflow name, which...
**Is your feature request related to a problem? Please describe.** There are 16 entries for `ecosystem: GitHub Actions` currently in the database, https://osv.dev/list?ecosystem=GitHub+Actions&q= All entries provide semver-compatible entries ``` $...
Is there interest in performing analysis of GitHub Actions implementations, e.g. `pkg:githubactions/actions/[email protected]`? I'm interested in the same outputs: files/networks/executables the action performs as it's executing. I'm uniquely interested in writes...
Update the lint configuration to avoid errors. This is a regression since `2024-05-03`. This blocks CI in PRs like #1050 , #1051, etc. Alternatively, consider pinning the `version:` of `golangci-lint`...
### Please describe the enhancement Given a reference like `actions/checkout@v3`. I'd prefer the pinned version to be: `actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3.6.0` instead of `actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 # v3` This difference makes the result...
This metadata makes Rubygems reject pushes that do not use MFA. We obviously use MFA when publishing, but this metadata allows other users of the gem to _confirm_ that we...