Ah, I think you might be pleasantly surprised that this is an area being focused on right now with attestations[1] for example, here are the attestations for the GitHub CLI[2].
Maybe this whole cryptographic stuff has some use, but all that which was needed was for GitHub to declare when a file was uploaded manually and when by a workflow (specifying which workflow).
This looks so complex that it might well be just smoke and mirrors
g-b-r|1 year ago
This looks so complex that it might well be just smoke and mirrors