Merged
Conversation
Use actions/attest-build-provenance to generate Sigstore-backed attestations for each released executable, so consumers can verify that the binaries on GitHub Releases were built by this workflow rather than uploaded manually.
Contributor
There was a problem hiding this comment.
Pull request overview
Adds GitHub Actions build provenance attestations to the deployment workflow’s build matrix jobs, improving supply-chain integrity by generating cryptographic provenance for produced binaries.
Changes:
- Added per-job
permissionsrequired for OIDC-based provenance attestation (id-token: write,attestations: write, pluscontents: read). - Added
actions/attest-build-provenance@v2steps for Linux, macOS, and Windows build outputs (after stripping on Unix).
Performance Regression Reportscommit: dca78f1 There are no regressions. |
…ries Add a note to the GitHub install subsection and a new FAQ entry explaining that executables published to GitHub Releases starting from 0.22.1 are signed with Sigstore-backed build provenance attestations, along with the gh attestation verify command.
KSXGitHub
commented
Apr 7, 2026
Co-authored-by: Khải <hvksmr1996@gmail.com>
Extend build provenance attestations to the non-binary release assets. Shell completion files are sourced by the user's shell on tab completion, so a tampered completion file could execute arbitrary code; attesting them closes that gap. Checksum files are attested so that consumers who rely on sha*sum.txt can likewise verify it was produced by this workflow rather than swapped post-release.
Annotate the permissions blocks with the reason the job needs id-token: write (actions/attest-build-provenance obtains a Sigstore OIDC token). The build jobs also note that the narrower-blast-radius refactor — splitting attestation into a dedicated job — was considered and rejected as disproportionate.
KSXGitHub
commented
Apr 8, 2026
KSXGitHub
pushed a commit
that referenced
this pull request
Apr 8, 2026
PR #387 added Sigstore-backed provenance to executables, completion files, the man page, and checksums, but missed `benchmark-reports.tar.gz` which is uploaded as a release asset by the `competing_benchmark` job. Without an attestation, there is no cryptographic proof that the archive was generated by this workflow rather than uploaded by hand, leaving the benchmark numbers open to accusations of tampering. Grant the `competing_benchmark` job the `id-token: write` and `attestations: write` permissions (along with the existing `contents: write` it already needs to upload release assets) and run `actions/attest-build-provenance@v2` against `tmp.benchmark-reports.tar.gz` right before it is uploaded.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR adds build provenance attestation to the GitHub Actions CI/CD pipeline across all three build jobs (Linux, macOS, and Windows). This enhances supply chain security by generating cryptographic attestations for each build artifact.
Relevant resources:
https://claude.ai/code/session_01KThePWLJK2e5Y5RZfC8f2P