Testing: Critical project verification before rollout and releases

[asraa]

Hi!

The recent rekor sharding broke our SLSA builders ( slsa-framework/slsa-github-generator#876 (comment)) and @laurentsimon and I were discussing that we have been finding almost all production issues reported in our e2e test suite.

What we were wondering is if we can either donate our e2e testing to the upstream community: we can file issues against sigstore when our tests fail due to verification errors. OR more importantly, sigstore can maintain a list of CRITICAL projects that must continue to satisfy rekor lookups, or cosign verifications, before rolling out any server changes.

Is this possible?

Bazel CI does this for critical projects: