feat(ruby): add GitHub attestation verification for precompiled binaries#7382
feat(ruby): add GitHub attestation verification for precompiled binaries#7382
Conversation
There was a problem hiding this comment.
Pull request overview
This PR adds GitHub artifact attestation verification for precompiled Ruby binaries, enhancing security by verifying that binaries were built by the correct GitHub Actions workflow using Sigstore-based verification.
Key Changes:
- Adds global
github_attestationssetting (default: true) with Ruby-specific override capability - Implements
verify_github_attestations()method in Ruby plugin to verify binaries before installation - Reports attestation verification status in security info when enabled
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| src/plugins/core/ruby.rs | Implements attestation verification logic in Ruby plugin, including verification method and security feature reporting |
| settings.toml | Defines global and Ruby-specific GitHub attestations configuration settings |
| schema/mise.json | Adds JSON schema entries for the new attestation settings |
| e2e/core/test_ruby_github_attestations | Adds end-to-end test verifying attestation verification is attempted during Ruby installation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| Ok(()) | ||
| } | ||
| Ok(false) => Err(eyre!( | ||
| "GitHub attestations verification returned false for ruby@{}", |
There was a problem hiding this comment.
The error message for Ok(false) case is unclear about what went wrong. Consider providing more specific guidance such as 'GitHub attestations verification failed: attestation signature invalid' or similar actionable information.
| "GitHub attestations verification returned false for ruby@{}", | |
| "GitHub attestations verification failed for ruby@{}: \ | |
| attestation did not meet verification policy\n\ | |
| To disable attestation verification, set MISE_RUBY_GITHUB_ATTESTATIONS=false\n\ | |
| or add `ruby.github_attestations = false` to your mise config", |
| let source = &settings.ruby.precompiled_url; | ||
|
|
||
| // Skip for custom URL templates (not GitHub repos) | ||
| if source.contains("://") { |
There was a problem hiding this comment.
Using contains('://') to detect custom URL templates is fragile and could incorrectly match GitHub URLs with protocols (e.g., 'https://github.com/...'). Consider using a more robust check, such as verifying whether the source starts with a protocol or matches a GitHub URL pattern.
| # Test: Install Ruby with GitHub attestations verification enabled | ||
| echo "Installing Ruby with GitHub attestations verification enabled..." | ||
|
|
||
| output=$(mise install [email protected] 2>&1) || true |
There was a problem hiding this comment.
The test only verifies that the attestation verification message appears but doesn't verify that the attestation actually succeeded or failed appropriately. Consider adding assertions for successful verification (checking for '✓ GitHub attestations verified') or testing the failure case when attestations are invalid.
jdx
force-pushed
the
feat/ruby-github-attestations
branch
from
5a29144 to
bca810b
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Add support for verifying GitHub artifact attestations when installing precompiled Ruby binaries from jdx/ruby. This ensures binary authenticity using Sigstore-based verification. Changes: - Add global `github_attestations` setting (default: true) - Add `ruby.github_attestations` setting to override global - Verify attestations after download, before extraction - Report GithubAttestations in security_info when enabled - Add e2e test for attestation verification 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <[email protected]>
jdx
force-pushed
the
feat/ruby-github-attestations
branch
from
bca810b to
bf0879e
Compare
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.11 x -- echo |
20.4 ± 1.2 | 19.2 | 36.7 | 1.00 |
mise x -- echo |
21.4 ± 1.0 | 19.4 | 28.8 | 1.05 ± 0.08 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.11 env |
19.9 ± 0.5 | 18.8 | 21.5 | 1.00 |
mise env |
20.4 ± 0.8 | 18.9 | 23.9 | 1.02 ± 0.05 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.11 hook-env |
19.8 ± 0.9 | 18.8 | 27.6 | 1.00 ± 0.05 |
mise hook-env |
19.7 ± 0.4 | 18.7 | 21.0 | 1.00 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2025.12.11 ls |
17.1 ± 0.3 | 16.4 | 19.6 | 1.00 |
mise ls |
17.3 ± 0.6 | 16.4 | 19.8 | 1.01 ± 0.04 |
xtasks/test/perf
| Command | mise-2025.12.11 | mise | Variance |
|---|---|---|---|
| install (cached) | 113ms | 113ms | +0% |
| ls (cached) | 69ms | 68ms | +1% |
| bin-paths (cached) | 77ms | 77ms | +0% |
| task-ls (cached) | 283ms | -87% |
* upstream/main: feat(ruby): add GitHub attestation verification for precompiled binaries (jdx#7382)
Summary
sigstore-verificationcrateChanges
github_attestationssetting (default:true) for all tools that support attestationsruby.github_attestationssetting to override global for Rubyverify_github_attestations()method to Ruby pluginGithubAttestationsinsecurity_info()when enabledBehavior
github_attestations = true(default)ruby.github_attestations = falseprecompiled_url(non-GitHub)Error messages include instructions on how to disable verification if needed.
Test plan
mise install [email protected]verifies attestations successfully🤖 Generated with Claude Code
Note
Adds Sigstore-based GitHub Artifact Attestations verification for precompiled Ruby binaries, configurable globally and per-Ruby, with an e2e test.
verify_github_attestations(...)to validate precompiled tarballs and surfaces helpful failure messages.GithubAttestationsinsecurity_info()when experimental precompiled installs and verification are enabled.settings.github_attestations(default:true).settings.ruby.github_attestationsto override global for Ruby precompiled binaries.schema/mise.jsonandsettings.tomlwith options and docs.e2e/core/test_ruby_github_attestationsto assert verification is attempted during[email protected]install.Written by Cursor Bugbot for commit bf0879e. This will update automatically on new commits. Configure here.