You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: attest release artifacts with build provenance
Obsidian's plugin scan flagged that the released main.js cannot be
independently reproduced from source. Add GitHub build-provenance
attestation (Sigstore-signed) so the released main.js/manifest.json/
styles.css can be cryptographically verified as genuine CI output from
this commit, regardless of byte-level build reproducibility:
gh attestation verify main.js --repo iOSonntag/obsidian-plugin-treefocus
- add id-token:write + attestations:write permissions
- attest-build-provenance pinned by commit SHA, gated to real releases
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
