You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
GitHub now allows projects to sign their artifacts with Artifact Attestations. It looks like an easy way to sign our stuff, so I wanted to highlight it here, and get feedback from you maintainers. 😉
What we have already
Code related to signing
I found these bits of code that seem related to signing:
There's probably more code/config that I'm forgetting to list here! 🙃
What about tokens/secrets?
I expect we keep some secrets or tokens outside of the repository. Maybe with Artifact Attestations you do not need to worry about securing secrets or tokens related to signing?
Security features need to be more than just powerful—they have to be simple to adopt and easy to configure in order to be effective. Artifact Attestations couldn’t be easier to set up: all you need to do is add a bit of YAML to your GitHub Actions workflow to create an attestation and install the GitHub CLI tool to verify it.
Enable your GitHub Actions workflow to write to the attestations store:
Once your build is finished and you have the artifact downloaded, use GitHub CLI (version 2.49.0 or greater) to verify it, providing the name of the organization that contains the repository where the action ran:
Read the blog in full, because there are more instructions! I also want to highlight this warning:
A more secure future
It’s important to note that provenance by itself doesn’t make your artifact or your build process secure. What it does do is create a tamper-proof guarantee that the thing you’re executing is definitely the thing that you built, which can stop many attack vectors. It’s still vital to maintain strong application security processes like requiring code review for all patches, and applying dependency updates in a timely manner.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Tell us more.
GitHub now allows projects to sign their artifacts with Artifact Attestations. It looks like an easy way to sign our stuff, so I wanted to highlight it here, and get feedback from you maintainers. 😉
What we have already
Code related to signing
I found these bits of code that seem related to signing:
renovate/.npmrc
Line 2 in b333f4b
renovate/.github/workflows/build.yml
Line 645 in b333f4b
There's probably more code/config that I'm forgetting to list here! 🙃
What about tokens/secrets?
I expect we keep some secrets or tokens outside of the repository. Maybe with Artifact Attestations you do not need to worry about securing secrets or tokens related to signing?
Related issues and PRs
write
permissions forid-token
#21612GitHub blog quotes
Read the blog in full, because there are more instructions! I also want to highlight this warning:
Documentation
Read the GitHub Blog, Introducing Artifact Attestations–now in public beta for more information.
Beta Was this translation helpful? Give feedback.
All reactions