Skip to content

Attest build provenance for release artifacts#64

Merged
djacu merged 1 commit into
mainfrom
harden/release-attestations
Jul 7, 2026
Merged

Attest build provenance for release artifacts#64
djacu merged 1 commit into
mainfrom
harden/release-attestations

Conversation

@djacu

@djacu djacu commented Jul 7, 2026

Copy link
Copy Markdown
Member

What

Adds a signed build-provenance attestation for the GitHub release artifacts (the branding guide PDF + the public logos in result-assets), using GitHub's official actions/attest-build-provenance.

  • New Attest build provenance step in the release job, right after building result-assets.
  • Grants the release job id-token: write + attestations: write (scoped to that job, alongside the existing contents: write).

Why

The npm package already gets provenance via npm trusted publishing (OIDC); this closes the same gap for the GitHub release channel. After a release, anyone can verify an artifact came from this repo's workflow:

gh attestation verify <artifact> -R NixOS/branding

It's GitHub-native (Sigstore-backed) — no third-party service.

Verification

  • actionlint: clean
  • pinact run --check: clean (new attest-build-provenance pinned to v4.1.1 / 0f67c3f…)
  • zizmor .github/ (regular gate): 0 findings
  • zizmor --pedantic .github/: 0 findings

Not verified

The step only runs on an actual tag-push release, which can't be exercised locally. subject-path: result-assets/* globs the built artifacts (symlinks into the Nix store — the same paths gh release create already uploads); worth confirming on the next release that it produces attestations for the expected files.

Sign the GitHub release artifacts (the branding guide PDF and the public
logos in result-assets) with actions/attest-build-provenance, so consumers
can verify their origin with `gh attestation verify <file> -R NixOS/branding`.

Grants the release job id-token: write + attestations: write (both scoped to
that job). Complements the npm package's trusted-publishing provenance — now
both distribution channels carry verifiable provenance.
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown

Artifact comparison

0 modified · 0 added · 0 deleted · 96 unchanged

Download report — HTML file; open in a browser.

Compared
  • Base: 9f328c5167886ec91fb7d9bbb7d4bf9a8e72b893 (current main tip when this ran)
  • After: b95e027a5ac2431310a9fbc9e54926331d52fde5 (merge commit; falls back to PR head if unmergeable)

@djacu djacu merged commit 4faef6a into main Jul 7, 2026
8 checks passed
@djacu djacu deleted the harden/release-attestations branch July 7, 2026 04:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant