Setup release artifact attesting with actions/attest-build-provenance
#252
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ericcornelissen
added
ci/cd
Update the "Publish / GitHub Release" job to attest to release artifacts using `actions/attest-build-provenance`. Under the hood, this uses Cosign (<https://docs.sigstore.dev/signing/quickstart/>). In particular, this uses keyless signing based on the OIDC token available in the job. That way, the published release artifacts are linked to the workflow that created it. The version of Cosign used is not configurable with the tooling used (`actions/attest-build-provenance`), which is a bit unfortunate given that we have Cosign pinned in the "Publish / Docker Hub" job. Signed-off-by: Eric Cornelissen <ericornelissen@gmail.com>
ericcornelissen
force-pushed
the
160-attest-release-artifacts
branch
from
a71f065
to
4e44166
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Relates to #160, #210
Summary
Update the "Publish / GitHub Release" job to attest to release artifacts using
actions/attest-build-provenance. Under the hood, this also uses Cosign (https://docs.sigstore.dev/signing/quickstart/) with keyless signing based on the workflow's OIDC token.The attestation functionality is recent (see this blog post from May 2, 2024) and still in beta. I haven't tested this anywhere else, so we'll find out whether and how this works with the next release of this project.