You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently there is no way to instruct cosign to take all the tags for a given digest. The downside of this is that you can't easily relate from the build provenance which tags have been released for a given digest/image.
Is this a feature that can be added to cosign? Or maybe should we drop this feature?
The text was updated successfully, but these errors were encountered:
Description
https://github.com/philips-labs/slsa-provenance-action generates provenance where each tag is captured as a subject in the provenance.
Cosign is currently only capturing the repository as a subject.
See philips-labs/slsa-provenance-action#159 for more details on how we use both
slsa-provenance
andcosign
in our workflow.Currently there is no way to instruct cosign to take all the tags for a given digest. The downside of this is that you can't easily relate from the build provenance which tags have been released for a given digest/image.
Is this a feature that can be added to cosign? Or maybe should we drop this feature?
The text was updated successfully, but these errors were encountered: