Skip to content

Attest build provenance #31

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 16, 2025
Merged

Attest build provenance #31

merged 2 commits into from
Apr 16, 2025

Conversation

@GrantBirki
Copy link
Member

@GrantBirki GrantBirki commented Apr 16, 2025

This pull request adds build provenance for binaries published via Actions

Copilot AI review requested due to automatic review settings April 16, 2025 19:29
Copilot AI reviewed Apr 16, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds build provenance for published binaries by configuring build output in Goreleaser and updating the release workflow to support attestation.

  • Added a "dist" configuration in .goreleaser.yaml to define the distribution directory.
  • Updated the release workflow to include additional permissions and a new attest-build-provenance step with pinned commit SHAs.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
.goreleaser.yaml Added the distribution directory configuration for build artifacts.
.github/workflows/release.yml Updated permissions and action steps to include build provenance attestation.
Comments suppressed due to low confidence (1)

.github/workflows/release.yml:37

  • Ensure that the 'subject-path' parameter specified as 'dist/' in this step correctly matches the output directory './dist' defined in .goreleaser.yaml to avoid potential mismatches in artifact location.
- uses: actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2 # pin@v2

@GrantBirki GrantBirki merged commit 3d664b5 into main Apr 16, 2025
7 checks passed
@GrantBirki GrantBirki deleted the attest-build-provenance branch April 16, 2025 19:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@GrantBirki