Github recently launched https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/, which builds on sigstores https://github.com/sigstore/fulcio, https://github.com/sigstore/rekor and https://github.com/sigstore/timestamp-authority

For public repos - there isn't really any concern here, as artifact attestations wraps the public good sigstore instances of fulcio and rekor.
ie. the following sigstore config would work to configure signing.

fulcio:
  fulcioURL: "https://fulcio.sigstore.dev"
  oidcMode: "staticToken"
  oidcIDToken: "placeholder"
rekorURL: "https://rekor.sigstore.dev"

I'm more interested for supporting github artifact attestations to ensure that we can use the private path supported by github. Using their own fulcio instance, and timestamp authority for witnessing (note: private repos don't use rekor) which solves having to host your own instances for private repositories that we don't want to leak details about.
ie. the following instances:
https://fulcio.githubapp.com
https://timestamp.githubapp.com

which would need supported in a config such as:

fulcio:
  fulcioURL: "https://fulcio.githubapp.com"
  oidcMode: "staticToken"
  oidcIDToken: "placeholder"
timestampAuthorityURL: "https://timestamp.githubapp.com"

NOTE: timestampAuthorityURL is not a supported field today in containers-sigstore-signing-params.yaml.5 which means this is likely an issue to be created against https://github.com/containers/image as well.