scope: 'acorn://foo'
target_level: SLSA_L4
allow_github_actions {
workflow: 'https://github.com/gossts/slsa-acorn/.github/workflows/builder.yml@main'
source_repo: 'https://github.com/foo/acorn-foo.git'
allow_branch: 'main'
}
scope: 'acorn://qux'
target_level: SLSA_L0
# Delegated verification implicitly checks that the package name we're
# checking matches the VSA's subject.name field.
allow_delegated_verification {
trusted_verifier: 'https://delegatedverifier.com/slsa/v1'
minimum_level: SLSA_L3
minimum_dependency_level: SLSA_L2
allow_fulcio_builder {
id: 'spiffe://foobar.com/foo-builder'
allow_entrypoint: 'package.json'
張貼留言
沒有留言 :
張貼留言