Support regex to verify releaser identity #9
Comments
|
I think it's better to have the |
laurentsimon
changed the title
|
This line will also need to be updated https://github.com/laurentsimon/slsa-policy/blob/main/cmd/evaluator/internal/utils/crypto/crypto.go#L255. We need to extract the identity from the cert |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I've currently hardcoded this for the releaser verification to
@refs/heads/mainfor full ID matching. For versioned releaser, we need more flexibility. I don't think this needs to be in the policy itself. Instead, it can be in the verifier's code, and will be an input to the CLI / GHA as "--releaser-ref-regex" in addition to--release-ref.The limitation is that if an org starts with head and want to migrate to version, it will be hard. Having it in the policy itself could be more flexible: the org can define multiple roots for each.
The text was updated successfully, but these errors were encountered: