You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The github /archive/ urls aren't guaranteed to have stable hashes. Github has changed their hashing twice and plans to do it again in the next year or so. It does violate a best practice to ensure remote artifacts aren't being tampered with.
There are probably github docs about how to do this somewhere. What it means is, when creating a "github release", a file of the source is attached to it, much like you'd attach some built library you wanted to make directly download.
In rules_python, we do this automatically using an action:
Tangentially, I asked SLSA folks for a workflow here so that any project could trivially publish source code archives as release assets with signature and provenance, but it's unclear if/when that would ever actually be implemented. (Obviously, GitHub itself should directly support doing so, but...)
@rickeylev had this suggestion:
The github
/archive/
urls aren't guaranteed to have stable hashes. Github has changed their hashing twice and plans to do it again in the next year or so. It does violate a best practice to ensure remote artifacts aren't being tampered with.There are probably github docs about how to do this somewhere. What it means is, when creating a "github release", a file of the source is attached to it, much like you'd attach some built library you wanted to make directly download.
In rules_python, we do this automatically using an action:
https://github.com/bazelbuild/rules_python/blob/677fb53a16d65082729be927dafd3a45fafa04c5/.github/workflows/release.yml#L40-L46
The prior "create_archive_and_notes.sh" creates the tar.gz file, and that
action-gh-release
action uploads the file into the "github release".If you're doing manual releases, then it means you edit the release, and upload/attach the file to it.
The text was updated successfully, but these errors were encountered: