There are two options that I need to explore and consider the threat model for.
Generate my own Cosign private key and store it as a secret in GitHub Actions. Check the public key into the repository.
Use the OIDC integration with GitHub Actions to sign it with a key bound to my identity. No secrets in GHA, but maybe more complicated key distribution and setup? Maybe harder if I ever change my username or have others collaborate on this repo?
samhclark
commented
4 days ago
There are two options that I need to explore and consider the threat model for.