Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Setup release artifact attesting with
actions/attest-build-provenance
Update the "Publish / GitHub Release" job to attest to release artifacts using `actions/attest-build-provenance`. Under the hood, this uses Cosign (<https://docs.sigstore.dev/signing/quickstart/>). In particular, this uses keyless signing based on the OIDC token available in the job. That way, the published release artifacts are linked to the workflow that created it. The version of Cosign used is not configurable with the tooling used (`actions/attest-build-provenance`), which is a bit unfortunate given that we have Cosign pinned in the "Publish / Docker Hub" job. Signed-off-by: Eric Cornelissen <ericornelissen@gmail.com>
- Loading branch information