Questions/feedback for "GitHub workflow setup"

[ericcornelissen]

I came here from Catching malicious package releases using a transparency log and wanted to give the GitHub Actions setup a try, however I'm struggling a bit to understand everything. I'm by no means an expert in Rekor/Transparency logs, but I imagine you'd like this project to be used by people that aren't, so I don't think reporting these "shortcomings" should be considered unreasonable.

• What does the Consistency check do? I think it monitors the transparency log for entries corresponding the the repository in which the workflow is running, it would be nice to have that spelled out in the docs.
• What does it mean for there to be a monitoring failure? Conceptually I understand but practically I don't know how the workflow would know when a transparency log entry is problematic...
• I'm afraid there's no satisfactory answer here but why does it need id-token: write permission? The reason I ask is because it just feels very dangerous, consider: "Hey, just use this tool and we will monitor the transparency log for you. We just need your id-token that we can abuse and then neglect to inform you about it if we do."
• Please, please don't make me use @main. While I don't mind using the commit SHA, having actual human-readable and machine-usable version tags to refer to is, imho, a must.
• Not a big deal but does file_issue open an issue every time it detects a problem, or does it use one "status" issue that it updates and manages over time?
• Even though I wasn't planning on using it, I have a bit of a hard time understanding how I should use the Configuration file format. I suppose part of the reason for having the alternative workflow is that I wouldn't need to know. Still, as a piece of feedback, the structure of the file is not enough for someone outside the project to understand how to use it.
• Add yaml here, here, and here for syntax highlighting.