Skip to content

Add build attestation for library packages #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 27, 2025
Merged

Add build attestation for library packages #10

merged 2 commits into from
Jun 27, 2025

Conversation

Copilot
Copy link
Contributor

@Copilot Copilot AI commented Jun 27, 2025
edited
Loading

This PR adds build attestation to the continuous integration pipeline using GitHub's actions/attest-build-provenance action. Build attestations provide cryptographic proof of the build's provenance, enhancing supply chain security for the library's NuGet packages.

Changes Made

Updated .github/workflows/continuous.yml:

  1. Added required permissions:

    • id-token: write - Required for OIDC token generation
    • attestations: write - Required for creating attestations

  2. Integrated attestation step:

    • Added actions/attest-build-provenance@v1 action
    • Positioned after build process but before artifact upload
    • Configured to target all .nupkg files in the Artifacts directory
- name: 'Attest: Build Provenance'
  uses: actions/attest-build-provenance@v1
  with:
    subject-path: 'Artifacts/*.nupkg'

Benefits

  • Supply Chain Security: Provides cryptographic attestations that can be verified by consumers
  • Build Integrity: Creates tamper-evident records of what was built and how
  • Compliance: Supports security frameworks that require build provenance
  • Transparency: Enables verification of package authenticity and build environment

The implementation follows GitHub's recommended practices and requires no changes to the existing build process or artifact generation.

Fixes #9.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@Copilot @eNeRGy164
Add build attestation to continuous workflow
785f179 
Co-authored-by: eNeRGy164 <10671831+eNeRGy164@users.noreply.github.com>
@Copilot Copilot AI changed the title [WIP] Add attestation for the library Add build attestation for library packages Jun 27, 2025
Copilot finished work on behalf of eNeRGy164 June 27, 2025 13:32
@Copilot Copilot AI requested a review from eNeRGy164 June 27, 2025 13:32
@coveralls
Copy link

Pull Request Test Coverage Report for Build 15927540542

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 100.0%
Totals Coverage Status
Change from base Build 15927062279: 0.0%
Covered Lines: 221
Relevant Lines: 221
💛 - Coveralls

@coveralls
Copy link

Pull Request Test Coverage Report for Build 15927540438

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 100.0%
Totals Coverage Status
Change from base Build 15927062279: 0.0%
Covered Lines: 221
Relevant Lines: 221
💛 - Coveralls

@eNeRGy164 eNeRGy164 marked this pull request as ready for review June 27, 2025 13:37
@Copilot Copilot AI review requested due to automatic review settings June 27, 2025 13:37
Copilot
Copilot AI reviewed Jun 27, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR integrates build attestation into the CI pipeline for enhancing supply chain security of the NuGet packages.

  • Added additional workflow permissions (id-token and attestations)
  • Integrated the attest-build-provenance action in the workflow to generate build attestations
Comments suppressed due to low confidence (2)

.github/workflows/continuous.yml:17

  • [nitpick] Consider adding an inline comment explaining the need for the 'id-token: write' permission to clarify its role in OIDC token generation for attestations.
  id-token: write

.github/workflows/continuous.yml:40

  • [nitpick] Adding a brief comment describing the purpose and positioning of the attestation step could help future maintainers understand its role in the CI pipeline.
      - name: 'Attest: Build Provenance'

@eNeRGy164 eNeRGy164 merged commit 4b79e1e into main Jun 27, 2025
7 checks passed
@eNeRGy164 eNeRGy164 deleted the copilot/fix-9 branch June 27, 2025 13:39
@eNeRGy164 eNeRGy164 added the workflow Changes related to the project's pipeline, automation, or CI/CD workflows. label Jun 27, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@eNeRGy164 eNeRGy164 Awaiting requested review from eNeRGy164

Assignees

@eNeRGy164 eNeRGy164

Copilot code review Copilot

Labels
workflow Changes related to the project's pipeline, automation, or CI/CD workflows.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add attestation for the library
3 participants
@Copilot @coveralls @eNeRGy164