Skip to content

Add NuGet package attestations using GitHub provenance#3119

Merged
dennisdoomen merged 2 commits intomainfrom
copilot/add-nuget-attestations
Nov 8, 2025
Merged

Add NuGet package attestations using GitHub provenance#3119
dennisdoomen merged 2 commits intomainfrom
copilot/add-nuget-attestations

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Nov 6, 2025
edited
Loading

Closes #[issue_number]

Adds cryptographically signed provenance attestations to NuGet packages on release, enabling consumers to verify package authenticity and build integrity.

Changes

  • Permissions: Added id-token: write and attestations: write to build job for OIDC and attestation generation
  • Pre-flight check: Verify .nupkg existence before attestation (tag pushes only)
  • Attestation step: Generate provenance using actions/attest-build-provenance@v2 for all packages in Artifacts/

Attestations are created after package build and before upload, only on tag pushes when packages exist.

Original prompt

Add nuget attestations for the nuget pakckage using github's provenance attestations

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI self-assigned this Nov 6, 2025
Copilot AI changed the title [WIP] Add NuGet attestations for the NuGet package Add NuGet package attestations using GitHub provenance Nov 6, 2025
Copilot AI requested a review from dennisdoomen November 6, 2025 18:50
@github-actions
Copy link
Copy Markdown

github-actions bot commented Nov 6, 2025
edited
Loading

Test Results

    37 files  ±0      37 suites  ±0   2m 55s ⏱️ +18s
 6 267 tests ±0   6 267 ✅ ±0  0 💤 ±0  0 ❌ ±0 
38 948 runs  ±0  38 948 ✅ ±0  0 💤 ±0  0 ❌ ±0 

Results for commit 518a9fc. ± Comparison against base commit 2ff081c.

This pull request removes 10 and adds 8 tests. Note that renamed tests count towards both. 
FluentAssertions.Specs.Streams.StreamAssertionSpecs+HaveLength ‑ When_a_throwing_stream_should_have_a_length_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
FluentAssertions.Specs.Streams.StreamAssertionSpecs+HaveLength ‑ When_a_throwing_stream_should_have_a_length_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
FluentAssertions.Specs.Streams.StreamAssertionSpecs+HavePosition ‑ When_a_throwing_stream_should_have_a_position_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
FluentAssertions.Specs.Streams.StreamAssertionSpecs+HavePosition ‑ When_a_throwing_stream_should_have_a_position_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
FluentAssertions.Specs.Streams.StreamAssertionSpecs+NotHaveLength ‑ When_a_throwing_stream_should_not_have_a_length_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
FluentAssertions.Specs.Streams.StreamAssertionSpecs+NotHaveLength ‑ When_a_throwing_stream_should_not_have_a_length_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
FluentAssertions.Specs.Streams.StreamAssertionSpecs+NotHavePosition ‑ When_a_throwing_stream_should_not_have_a_position_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
FluentAssertions.Specs.Streams.StreamAssertionSpecs+NotHavePosition ‑ When_a_throwing_stream_should_not_have_a_position_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'GetLengthExceptionMessage'.)
Object name: 'GetPositionExceptionMessage'.)

FluentAssertions.Specs.Streams.StreamAssertionSpecs+HaveLength ‑ When_a_throwing_stream_should_have_a_length_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'GetLengthExceptionMessage'.)
FluentAssertions.Specs.Streams.StreamAssertionSpecs+HaveLength ‑ When_a_throwing_stream_should_have_a_length_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'GetLengthExceptionMessage'.)
FluentAssertions.Specs.Streams.StreamAssertionSpecs+HavePosition ‑ When_a_throwing_stream_should_have_a_position_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'GetPositionExceptionMessage'.)
FluentAssertions.Specs.Streams.StreamAssertionSpecs+HavePosition ‑ When_a_throwing_stream_should_have_a_position_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'GetPositionExceptionMessage'.)
FluentAssertions.Specs.Streams.StreamAssertionSpecs+NotHaveLength ‑ When_a_throwing_stream_should_not_have_a_length_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'GetLengthExceptionMessage'.)
FluentAssertions.Specs.Streams.StreamAssertionSpecs+NotHaveLength ‑ When_a_throwing_stream_should_not_have_a_length_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'GetLengthExceptionMessage'.)
FluentAssertions.Specs.Streams.StreamAssertionSpecs+NotHavePosition ‑ When_a_throwing_stream_should_not_have_a_position_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'GetPositionExceptionMessage'.)
FluentAssertions.Specs.Streams.StreamAssertionSpecs+NotHavePosition ‑ When_a_throwing_stream_should_not_have_a_position_it_should_fail(exception: System.ObjectDisposedException: Cannot access a disposed object.
Object name: 'GetPositionExceptionMessage'.)

♻️ This comment has been updated with latest results.

@coveralls
Copy link
Copy Markdown

coveralls commented Nov 6, 2025
edited
Loading

Pull Request Test Coverage Report for Build 19192192660

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 97.154%
Totals Coverage Status
Change from base Build 18872999242: 0.0%
Covered Lines: 12826
Relevant Lines: 13046
💛 - Coveralls

@github-actions
Copy link
Copy Markdown

github-actions bot commented Nov 6, 2025
edited
Loading

Qodana for .NET

It seems all right 👌

No new problems were found according to the checks applied

💡 Qodana analysis was run in the pull request mode: only the changed files were checked
☁️ View the detailed Qodana report

Contact Qodana team

Contact us at [email protected]

@dennisdoomen dennisdoomen force-pushed the copilot/add-nuget-attestations branch from 66b076d to 34b4022 Compare November 8, 2025 07:29
@dennisdoomen dennisdoomen added the building Building and Infrastructure of Fluent Assertions label Nov 8, 2025
@dennisdoomen dennisdoomen requested a review from jnyrup November 8, 2025 07:29
jnyrup
jnyrup reviewed Nov 8, 2025
View reviewed changes
Copy link
Copy Markdown
Member

@jnyrup jnyrup left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've got no experience with attestation but it seems like a good thing to do.
What triggered you to enable this?
I only read this blog post so far.
https://andrewlock.net/creating-provenance-attestations-for-nuget-packages-in-github-actions/

@dennisdoomen
Copy link
Copy Markdown
Member

dennisdoomen commented Nov 8, 2025

What triggered you to enable this?

This suggestion was the trigger dennisdoomen/dotnet-library-starter-kit#35

@dennisdoomen dennisdoomen force-pushed the copilot/add-nuget-attestations branch from 34b4022 to 518a9fc Compare November 8, 2025 11:07
@dennisdoomen dennisdoomen marked this pull request as ready for review November 8, 2025 11:07
@dennisdoomen dennisdoomen merged commit 889bc88 into main Nov 8, 2025
14 checks passed
@dennisdoomen dennisdoomen deleted the copilot/add-nuget-attestations branch November 8, 2025 19:05
This was referenced Mar 16, 2026
Merged
Merged
Merged
Closed
Open
Closed
Merged
Open
This was referenced Apr 1, 2026
Open
Merged
Open
Merged
Open
Open
Merged
Merged
Merged
Merged
Open
Open
Merged
Merged
Merged
Open
Open
Open
Open
Open
Merged
Merged
Merged
Open
Merged
Open
Open
Closed
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dennisdoomen dennisdoomen dennisdoomen approved these changes

@jnyrup jnyrup jnyrup approved these changes

Assignees

@dennisdoomen dennisdoomen

Copilot code review Copilot

Labels

building Building and Infrastructure of Fluent Assertions

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@coveralls @dennisdoomen @jnyrup