TUF community,
Looking for an example (or ref. implementation) of how TUF could be applied to DevSecOps roles as part of an automated CI/CD pipeline (ala Tekton), but inclusive of Committers/Owners and Release Managers.
I have scanned many videos found on youtube and elsewhere from conferences showing end-artifact/package manager signing, but would like to have one that goes back further to actual commits (committers) and artifacts produced along the CI/CD pipelines.
Anything at all in towards this use case realization would be appreciated.
Cheers,
Matt
PS TBH, I am looking to create even further processes for OSS clearance as well to prove pedigree and provenance as well before allowing packages to be brought into other projects as deps. ... but CI/CD is a starting point.