Setup release artifact attesting with actions/attest-build-provenance
#252
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Relates to #160, #210
Summary
Update the "Publish / GitHub Release" job to attest to release artifacts using
actions/attest-build-provenance
. Under the hood, this also uses Cosign (https://docs.sigstore.dev/signing/quickstart/) with keyless signing based on the workflow's OIDC token.The attestation functionality is recent (see this blog post from May 2, 2024) and still in beta. I haven't tested this anywhere else, so we'll find out whether and how this works with the next release of this project.