Open
Description
Currently, the chainloop CLI will try to gather information about your repository and if it finds it, it injects it in the in-toto attestation.
This is useful but a problem we've faced lately is that because of a change in the workflow (i.e moving checkout somewhere else down the line, or changing the subpath), the CLI couldn't find the info and hence we didn't get it, and worse, we didn't notice.
We could think about a way to enforce this information, similarly to what we do with the runners. Runner information is always retrieved and can be optionally enforced.