Skip to content

ci: add best-effort artifact attestation for NuGet release#89

Merged
BenjaminMichaelis merged 1 commit into
mainfrom
benjaminmichaelis/assess-attest-value
May 23, 2026
Merged

ci: add best-effort artifact attestation for NuGet release#89
BenjaminMichaelis merged 1 commit into
mainfrom
benjaminmichaelis/assess-attest-value

Conversation

@BenjaminMichaelis

Copy link
Copy Markdown
Owner

NuGet trusted publishing with OIDC is already in place, but the release workflow did not emit GitHub artifact attestations for produced packages. This adds provenance hardening without introducing release risk.

What changed

  • Added attestations: write and artifact-metadata: write permissions to the deploy job.
  • Added an actions/attest@v4 step to attest all generated .nupkg files.
  • Made attestation best-effort via continue-on-error: true so publish remains non-blocking.

Notes for reviewers

This is intentionally additive: NuGet OIDC trusted publishing remains unchanged, and package push behavior is preserved even if attestation has a transient failure.

Add actions/attest@v4 to the deploy job for generated .nupkg files and grant required attestations permissions. Keep release behavior unchanged by making attestation non-blocking with continue-on-error.
Copilot AI review requested due to automatic review settings May 23, 2026 00:37

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the NuGet release workflow by emitting GitHub artifact attestations (provenance) for the produced .nupkg packages, while keeping the existing OIDC trusted publishing flow unchanged and non-blocking.

Changes:

  • Grant attestations: write and artifact-metadata: write permissions to the deploy job.
  • Add an actions/attest@v4 step to attest the generated .nupkg files.
  • Make attestation best-effort via continue-on-error: true so publishing is not blocked.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@BenjaminMichaelis BenjaminMichaelis merged commit ddbcf72 into main May 23, 2026
9 checks passed
@BenjaminMichaelis BenjaminMichaelis deleted the benjaminmichaelis/assess-attest-value branch May 23, 2026 02:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants