Closed TomHennen closed 3 weeks ago
Please see the original comment and this discussion
We can continue to discuss this, but probably it will just be "whatever contract is supported by the SCP". If the SCP uses a bot to merge changes, it might be a bot, or else it might be the user who clicks the button. Both can be fine.
Marking "closed" for now! Please feel free to reopen if you feel we didn't address this topic fully 👍
For example, I may click the merge button to add a PR to a GitHub Merge Queue, but the Merge Queue's service principal is the identity who eventually pushes the ref update of the main branch. This is because merge-queue-like systems contain the contents of multiple contributors and change sets.
_Originally posted by @zachariahcox in https://github.com/slsa-framework/slsa/pull/1037#discussion_r1588368932_