I do security work at GitHub (before that, Duo) and before that I was a co-founder at Olark.
I also maintain a2docs and BBTXL.
Advanced Security Capabilities All Package Managers Should Have
npm and Sigstore: Provenance Comes to the World's Largest OSS Ecosystem
Build Provenance for all Package Registries [OpenSSF Securing Software Repos Working Group]
Bringing Provenance to All of Open Source: Lessons from npm's Sigstore Integration [Supply Chain Security Con]
Security Considerations with Fulcio and OIDC JWTs
Why we're excited about the Sigstore general availability [GitHub Blog]
Unlocking Cloud Build Security with OIDC
Connecting to a Private Network from GitHub-hosted Actions Runners [GitHub Blog]
How to Secure Your End-to-End Supply Chain [GitHub Blog]