-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add build provenance for gh CLI releases #9087
Conversation
Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Meredith Lancaster <malancas@github.com>
Signed-off-by: Meredith Lancaster <malancas@github.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hihi, thanks for looking at this @malancas.
Is there a reason to do this in the job for each platform rather than once for all artifacts in the release
job? We grab the artifacts upload from each platform job, and downloaded into the release
job here:
cli/.github/workflows/deployment.yml
Line 277 in 1bc3cfa
mv -v {linux,macos,windows}/gh_* dist/ |
Job logs: https://github.com/cli/cli/actions/runs/9066936008/job/24911809571
Edit: in fact when I look at the issue this seems to be what andy proposed and you agreed upon which makes me even more curious!
If we don't gate this via For example: cli/.github/workflows/deployment.yml Line 330 in 1bc3cfa
|
Signed-off-by: Meredith Lancaster <malancas@github.com>
I feel confident enough to do it live but we can generate provenance for a non-production release if you'd like. Note that all attestations will be available for view on https://github.com/cli/cli/attestations. So if we do decide to generate non-production attestations, they will appear on that page alongside the production attestations. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM thank you. Looking forward to trying it out.
Fixes #9041
This adds build provenance for gh CLI releases. Because gh CLI releases generate multiple artifacts, the Action will create an attestation for each artifact prefixed with
gh
found in thedist
directory.