Skip to content

feat: attest release tarballs with build provenance#84

Open
N4M3Z wants to merge 1 commit into
mainfrom
release-attestation
Open

feat: attest release tarballs with build provenance#84
N4M3Z wants to merge 1 commit into
mainfrom
release-attestation

Conversation

@N4M3Z

@N4M3Z N4M3Z commented Jul 9, 2026

Copy link
Copy Markdown
Owner

Problem

Module release tarballs published through module-release.yaml carry no provenance; nothing ties an asset on a GitHub release back to the workflow run and commit that built it.

Fix

actions/attest-build-provenance attests build/*.tar.gz after forge release, and the workflow declares the id-token and attestations permissions it needs. Consumers can verify assets with gh attestation verify.

Callers must grant the two new permissions in their release.yaml job, or the attestation step fails. Modules pinned to @main pick this requirement up on their next tag push; modules pinned to a tag (forge-core as of N4M3Z/forge-core#77) adopt it when they bump the pin, so tagging a v0.3.3 release after this merges gives them a clean target.

Test plan

  • make validate green (clippy, tests, semgrep, forge validate, secret scan)
  • Next module tag push produces a release with a verifiable attestation

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant