tschneidereit opened issue #9698:
Feature
GitHub provides an action for creation build provenance attestation for Actions-built artifacts, which we could integrate into our pipeline with, I think, low effort.
Benefit
Build provenance attestation would provide consumers with verifiable guarantees of the artifacts' provenance.
Implementation
Based on the Action's description, implementation seems fairly straight-forward and should involve not much besides following the steps documented there.
Alternatives
There might be alternative forms of attestation. This one has the advantage of being officially suppported by GitHub, and showing up in the project's attestations tab.
alexcrichton closed issue #9698:
Feature
GitHub provides an action for creation build provenance attestation for Actions-built artifacts, which we could integrate into our pipeline with, I think, low effort.
Benefit
Build provenance attestation would provide consumers with verifiable guarantees of the artifacts' provenance.
Implementation
Based on the Action's description, implementation seems fairly straight-forward and should involve not much besides following the steps documented there.
Alternatives
There might be alternative forms of attestation. This one has the advantage of being officially suppported by GitHub, and showing up in the project's attestations tab.
alexcrichton commented on issue #9698:
Well we have attestations now as they're rolling in for the artifacts produced for the
dev
tag. I downloaded a random one and ran:$ ./gh_2.63.1_linux_amd64/bin/gh attestation verify --owner bytecodealliance ./wasmtime-dev-riscv64gc-linux.tar.xz Loaded digest sha256:525d1ac2051ce2c903b6697c7875f85f27f1696e24993494b6d6506e8777d7be for file://wasmtime-dev-riscv64gc-linux.tar.xz Loaded 1 attestation from GitHub API ✓ Verification succeeded! sha256:525d1ac2051ce2c903b6697c7875f85f27f1696e24993494b6d6506e8777d7be was attested by: REPO PREDICATE_TYPE WORKFLOW bytecodealliance/wasmtime https://slsa.dev/provenance/v1 .github/workflows/publish-artifacts.yml@refs/heads/main
so it looks like... at least something is working!
Last updated: Dec 23 2024 at 12:05 UTC