I don't see how that solves this problem as long as the attacker can delete and recreate a repository

sigstore's main design goal seems to be to increase the lock-in of of "trusted" providers

(the idea that Microsoft should be trusted for anything requiring any level of security is entirely ludicrous)

It’s a good first step, but a significant number of GitHub Actions pull a Docker image from a repository such as Docker Hub. In those cases, the GitHub Action being immutable wouldn’t prevent the downstream Docker image from being mutated.