-
Notifications
You must be signed in to change notification settings - Fork 507
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use GItHub attestations to check for signed releases #4080
Comments
This is on our radar. Some signals we may look for in a repo:
|
fwiw actions/attest-build-provenance can produce an in-toto JSON file that can be uploaded to the release with a (example in edgarrmondragon/citric#1132) |
This issue has been marked stale because it has been open for 60 days with no activity. |
I think this is still relevant? |
This issue has been marked stale because it has been open for 60 days with no activity. |
Is your feature request related to a problem? Please describe.
As seen in https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/.
Describe the solution you'd like
Check artifact signatures in a repo's
https://github.com/<org>/<repo>/attestations
URL.Describe alternatives you've considered
Continue using the current Signed Releases check.
Additional context
The text was updated successfully, but these errors were encountered: