-
Notifications
You must be signed in to change notification settings - Fork 5.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update GitHub CLI release process to generate artifact attestations #9041
Comments
@malancas @phillmv : Any concerns or considerations for the various release assets we generate in order to generate artifact attestations? Looking at
Looking at the deployment workflow, I assume this would be incorporated into the cli/.github/workflows/deployment.yml Lines 224 to 278 in 4896546
|
Yep, we can incorporate the provenance attestation generation in the The |
FWIW that's what we did: https://github.com/Shopify/ejson/pull/146/files |
Describe the feature or problem you’d like to solve
Integrate the features announced in https://github.com/cli/cli/releases/tag/v2.49.0 , to attest the artifacts attached to
cli/cli
releases.The only usage of
id-token:
from Actions I can see looks like a regression test, https://github.com/search?q=repo%3Acli%2Fcli+%2Fattest%2F+language%3AYAML&type=code&l=YAMLProposed solution
Call
actions/attest-build-provenance
with each artifact produced.If you'd prefer to sign the digest file (1 operation vs N operations for each platform/arch), that works for me too!
actions/attest-build-provenance
data will have an ~official pattern (e.g. sign each artifact vs the digest file), that other repos may follow.Additional context
Assumption: I'm doing this right:
The text was updated successfully, but these errors were encountered: