Attest build provenance #440

hugovk · 2024-06-01T09:17:19Z

Attest using GitHub's Artifact Attestations:

https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/

For example:

❯ gh attestation verify /tmp/downloads/pypistats-1.5.1.dev77-py3-none-any.whl -R hugovk/pypistats
Loaded digest sha256:c84120639508e13d701f69958dfdbbb6b5d338f83ed8ebae29c907086363b825 for file:///tmp/downloads/pypistats-1.5.1.dev77-py3-none-any.whl
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:c84120639508e13d701f69958dfdbbb6b5d338f83ed8ebae29c907086363b825 was attested by:
REPO              PREDICATE_TYPE                  WORKFLOW
hugovk/pypistats  https://slsa.dev/provenance/v1  .github/workflows/deploy.yml@refs/heads/main


❯ gh attestation verify /tmp/downloads/pypistats-1.5.1.dev77.tar.gz --owner hugovk
Loaded digest sha256:791b595a6dd6aa8471f36b8c0bafe05c9ea2e84751d478aff120d526c611ed29 for file:///tmp/downloads/pypistats-1.5.1.dev77.tar.gz
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:791b595a6dd6aa8471f36b8c0bafe05c9ea2e84751d478aff120d526c611ed29 was attested by:
REPO              PREDICATE_TYPE                  WORKFLOW
hugovk/pypistats  https://slsa.dev/provenance/v1  .github/workflows/deploy.yml@refs/heads/main

Attest build provenance

e1478a4

hugovk added the changelog: Added For new features label Jun 1, 2024

hugovk merged commit b726741 into main Jun 1, 2024
71 checks passed

hugovk deleted the attestations branch June 1, 2024 09:23

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Attest build provenance #440

Attest build provenance #440

hugovk commented Jun 1, 2024 •

edited

Loading

Attest build provenance #440

Attest build provenance #440

Conversation

hugovk commented Jun 1, 2024 • edited Loading

hugovk commented Jun 1, 2024 •

edited

Loading