Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use GItHub attestations to check for signed releases #4080

Open
edgarrmondragon opened this issue May 4, 2024 · 5 comments
Open

Use GItHub attestations to check for signed releases #4080

edgarrmondragon opened this issue May 4, 2024 · 5 comments
Labels
check/Signed-Releases kind/enhancement New feature or request Stale

Comments

@edgarrmondragon
Copy link
Contributor

edgarrmondragon commented May 4, 2024
edited
Loading

Is your feature request related to a problem? Please describe.

As seen in https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/.

Describe the solution you'd like

Check artifact signatures in a repo's https://github.com/<org>/<repo>/attestations URL.

Describe alternatives you've considered

Continue using the current Signed Releases check.

Additional context
@edgarrmondragon edgarrmondragon added the kind/enhancement New feature or request label May 4, 2024
@spencerschrock
Copy link
Member

This is on our radar. Some signals we may look for in a repo:

  • attestations: write permission
  • uses: actions/attest-build-provenance and checking the claimed subject-path against the release artifacts.

@edgarrmondragon
Copy link
Contributor Author

edgarrmondragon commented May 12, 2024
edited
Loading

fwiw actions/attest-build-provenance can produce an in-toto JSON file that can be uploaded to the release with a *.intoto.jsonl asset name, so this is already kinda supported.

(example in edgarrmondragon/citric#1132)

@Zxilly Zxilly mentioned this issue Jun 14, 2024
Open
@github-actions GitHub Actions
Copy link

This issue has been marked stale because it has been open for 60 days with no activity.

@github-actions github-actions bot added the Stale label Jul 12, 2024
@edgarrmondragon
Copy link
Contributor Author

I think this is still relevant?

@raghavkaul raghavkaul removed the Stale label Jul 15, 2024
@github-actions GitHub Actions
Copy link

github-actions bot commented Nov 9, 2024

This issue has been marked stale because it has been open for 60 days with no activity.

@github-actions github-actions bot added the Stale label Nov 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
check/Signed-Releases kind/enhancement New feature or request Stale
Projects
Scorecard - NEW
Status: No status
Milestone
No milestone
Development

No branches or pull requests
3 participants
@spencerschrock @raghavkaul @edgarrmondragon