Skip to content

Attest Build Provenance #253

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Feb 24, 2025
Merged

Attest Build Provenance #253

merged 1 commit into from
Feb 24, 2025

Conversation

GrantBirki
Copy link
Member

Attest Build Provenance 🔒

Artifact attestations enable you to increase the supply chain security of your builds by establishing where and how your software was built.

This pull request publishes build attestations for the rubocop-github Gem. This allows us and all downstream consumers to use the built in gh cli command to securely validate when/where the Gem was built and that GitHub (the trusted source) created it.

Example 📸

Here is an example of how users of this gem can verify the gem after this PR lands:

$ gh attestation verify rubocop-github-X.X.X.gem --owner github

Read more about artifact attestations here 📚

@Copilot Copilot AI review requested due to automatic review settings February 21, 2025 18:52
@GrantBirki GrantBirki requested a review from a team as a code owner February 21, 2025 18:52
Copilot
Copilot AI reviewed Feb 21, 2025
View reviewed changes
Copy link

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Overview

This pull request adds build attestation steps to the release workflow to improve supply chain security for the rubocop-github Gem. Key changes include:

  • Adding the "id-token" and "attestations" permissions to the workflow.
  • Inserting a new step to attest the build provenance using the actions/attest-build-provenance action.
  • Updating the release action to a newer pinned version.

Reviewed Changes

File Description
.github/workflows/release.yml Updated permissions and added build attestation step; updated release action version.

Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.

Comments suppressed due to low confidence (1)

.github/workflows/release.yml:42

  • [nitpick] Consider using a semantic version tag for the 'actions/attest-build-provenance' action instead of a commit hash if a tag exists, to enhance clarity and maintainability.
      - uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # pin@v2

Tip: Copilot only keeps its highest confidence comments to reduce noise and keep you focused. Learn more

@GrantBirki GrantBirki merged commit 7372380 into main Feb 24, 2025
10 checks passed
@GrantBirki GrantBirki deleted the attest-build-provenance branch February 24, 2025 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@mattr- mattr- mattr- approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@GrantBirki @mattr-