Skip to content

Commit 7e1a497

Browse files
shaanmajidshaanmajid
authored
docs: add commands for artifact verification using GitHub Attestations (#1500)
Document how to verify release artifacts and Docker images using `gh attestation verify`. Refs: #1494, #1497
1 parent 1baa911 commit 7e1a497

2 files changed

Lines changed: 43 additions & 0 deletions

File tree

docs/installation.md

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -93,3 +93,23 @@ COMPLETE=fish prek > ~/.config/fish/completions/prek.fish
9393
```powershell
9494
COMPLETE=powershell prek >> $PROFILE
9595
```
96+
97+
## Artifact Verification
98+
99+
Release artifacts are signed with
100+
[GitHub Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations)
101+
to provide cryptographic proof of their origin. Verify downloads using the
102+
[GitHub CLI](https://cli.github.com/):
103+
104+
```console
105+
$ gh attestation verify prek-x86_64-unknown-linux-gnu.tar.gz --repo j178/prek
106+
Loaded digest sha256:xxxx... for file://prek-x86_64-unknown-linux-gnu.tar.gz
107+
Loaded 1 attestation from GitHub API
108+
✓ Verification succeeded!
109+
110+
- Attestation #1
111+
- Build repo:..... j178/prek
112+
- Build workflow:. .github/workflows/release.yml@refs/tags/vX.Y.Z
113+
```
114+
115+
This confirms the artifact was built by the official release workflow.

docs/integrations.md

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,29 @@ If you prefer, you can also run the distroless image directly:
2323
docker run --rm ghcr.io/j178/prek:v0.3.0 --version
2424
```
2525

26+
### Verifying Images
27+
28+
Docker images are signed with
29+
[GitHub Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations)
30+
to verify they were built by official prek workflows. Verify using the
31+
[GitHub CLI](https://cli.github.com/):
32+
33+
```console
34+
$ gh attestation verify --owner j178 oci://ghcr.io/j178/prek:latest
35+
Loaded digest sha256:xxxx... for oci://ghcr.io/j178/prek:latest
36+
Loaded 1 attestation from GitHub API
37+
✓ Verification succeeded!
38+
39+
- Attestation #1
40+
- Build repo:..... j178/prek
41+
- Build workflow:. .github/workflows/build-docker.yml@refs/tags/vX.Y.Z
42+
```
43+
44+
!!! tip
45+
46+
Use a specific version tag (e.g., `ghcr.io/j178/prek:v0.3.0`) or image
47+
digest rather than `latest` for verification.
48+
2649
## GitHub Actions
2750

2851
--8<-- "README.md:github-actions"

0 commit comments

Comments
 (0)