Super cool. For binaries, I thought about aligning with the work that nostr:nprofile1qqs8y6s7ycwvv36xwn5zsh3e2xemkyumaxnh85dv7jwus6xmscdpcygpz4mhxue69uhhyetvv9ujuerpd46hxtnfduhsz8thwden5te0dehhxarj9ekh2arfdeuhwctvd3jhgtnrdakj7qghwaehxw309aex2mrp0yhxummnw3ezucnpdejz7qxvpy4 has been doing with nostr:nprofile1qqs83nn04fezvsu89p8xg7axjwye2u67errat3dx2um725fs7qnrqlgpzamhxue69uhhyetvv9ujumn0wd68ytnzv9hxgtcsrhspy. One or more 'App Profile' events could reference the repo announcement and share WoT heuristics.

A binary 'release' event linked to one or more 'App Profile' event then is a list of nip94 events referring to the each file in the release.

Trust attestations could be made against the repository, app profile, release, or authors of these events. You could have services like nostr:nprofile1qqsw3znfr6vdnxrujezjrhlkqqjlvpcqx79ys7gcph9mkjjsy7zsgygwr32sk's binary watch signing trust attestations for releases that support reproducable builds.

It makes a lot of sense to me to use 'App Profile' and not only because it aligns were the zap.store. A repository may contain one or more 'app profiles'. Maybe its a mono repo or has different releases for say desktop and andriod.

I've thought for a long time that DVM would be great to do CI/CD instead or relying on git hooks.

I'm keen to hear your ideas. What thoughts are bubbling away?