A tuf-on-ci test repo using sigstore signing A completely keyless TUF repository: Repository signs online roles with sigstore using the ambient GitHub workflow identity offline signers use interactive sigstore identities