Have orgs done this manually in the past? For example, they have a private key that is stored in Github secrets and it signs the artifact upon action completion and posts it to some tamperproof registry.<p>Then anyone can verify it by checking the signature and contents against the org's public key, which is made available somewhere.<p>This certainly seems like a UX improvement, and a simpler (and thus safer) key management process.
Both awesome to see, but also feels like this radically speeds up the ratcheting to a world where governments directly define what software computers may and may not run. And existential threat to end-user/general purpose computing.