Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[release] Support for GitHub Artifact Attestation #1651

Closed
brunoborges opened this issue May 2, 2024 · 3 comments
Closed

[release] Support for GitHub Artifact Attestation #1651

brunoborges opened this issue May 2, 2024 · 3 comments
Assignees
@aalmiray
Labels
bounty Feature is open for bounty enhancement New feature or request
Milestone
v1.13.0

Comments

@brunoborges
Copy link

See the announcement.

More detailed information in GitHub's generate-build-provenance repository.
@brunoborges brunoborges added the enhancement New feature or request label May 2, 2024
@aalmiray aalmiray added the bounty Feature is open for bounty label May 2, 2024
@aalmiray aalmiray changed the title Support for GitHub Artifact Attestation [release] Support for GitHub Artifact Attestation May 3, 2024
@aalmiray
Copy link
Member

aalmiray commented May 3, 2024

As far as I can tell the behavior is exposed as a GH action. JReleaser would require direct API calls while running on a GitHub runner. I suppose 3rd parties may not have access to such API otherwise bad actors may gain access.

@martinwoodward @brunoborges would appreciate any tips & hints you may provide 😅

@aalmiray
Copy link
Member

aalmiray commented Jun 5, 2024
edited

Similarly as it was done with SLSA catalog, JReleaser can generate file that contains a list of all releasable artifacts that should be attestated. This file would have to be fed to the https://github.com/actions/attest-build-provenance action

In this way, there's no external duplication when defining subject paths and there should be a match with every artifact posted as a release asset.

cc: @sormuras

@sormuras
Copy link
Contributor

sormuras commented Jun 5, 2024

Lovely!

Beware that there's another interesting feature on the roadmap:

Which could render the interaction with JReleaser as easy as:

  • just release to GHA with JReleaser
  • let the release process generated attestations for all attached artifacts

No?

@aalmiray aalmiray self-assigned this Jun 5, 2024
@aalmiray aalmiray added this to the v1.13.0 milestone Jun 5, 2024
aalmiray added a commit to jreleaser/jreleaser.github.io that referenced this issue Jun 5, 2024
@aalmiray
Document jreleaser/jreleaser#1651
762d43f
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aalmiray aalmiray

Labels
bounty Feature is open for bounty enhancement New feature or request
Projects
None yet
Milestone
v1.13.0
Development

No branches or pull requests
3 participants
@aalmiray @brunoborges @sormuras