Yes, it’s bound to a specific commit; we just don’t present that in the web UI yet. If you click on the transparency log entry, you’ll see the exact commit the attestation came from.

It doesn't seem to be from what I can see. Only states that the upload came from a gh runner.

See adjacent comment above.

Ok that's at least something.

But my CI can download and run code from everywhere, so that doesn't mean that I can know what is being uploaded just looking at the git repository alone.