Conversation
andyfeller
left a comment
andyfeller
left a comment
There was a problem hiding this comment.
@v1v : firstly, thank you for opening up this PR and building upon the exciting new capability in v2.49.0! ❤️
Everything looks straight forward with a few suggestions around documentation and wordage. 🎉 My primary concern is attest is the opposite side of the coin of using these attestations to verify that a build has gone through expected processes in being created; this change merely generates and uploads the attestations. 🙇
|
Want to put this on the @cli/package-security radar being new to contributing to the GitHub CLI; this action used by GitHub CLI extension authors to build and publish their extensions to This is the necessary first part before updating the GitHub CLI to check for extensions' attestations before installing or upgrading, which we haven't discussed yet. |
Co-authored-by: Andy Feller <[email protected]>
2 participants
Support https://github.com/actions/attest-build-provenance for the attestation.