aswan
commented
6 years ago Please consider not doing this. Only code that has gotten a thorough review should be signed. We can't revoke individual signatures so if something with a security issue gets signed, our only recourse will be blocklisting the affected extension which will cause a series of other headaches.
This would allows us to test against branded release and beta in CI, as well as give QA access to signed add-ons for testing purposes.
I understand that this requires manual intervention for security reasons, but maybe we can set up a CI workflow with a manual approval step that runs on the master branches in selected repositories?
After the manual approval is given, the automated tests can then run also on branded release/beta and be available for download for manual testing.