-
Generate verify-able signed attestations for every artifact made with GitHub Actions.
- https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/
- https://github.com/ac…
-
Binary caches can contain objects that are 'directly' part of a build, instead of being the result of a derivation: an example is https://cache.nixos.org/h9lc1dpi14z7is86ffhl3ld569138595.narinfo
Si…
-
### Verification
- [X] This issue's title and/or description do not reference a single formula e.g. `brew install wget`. If they do, open an issue at https://github.com/Homebrew/homebrew-core/issues/…
-
- Branches
- [`atproto`](https://github.com/publicdomainrelay/reference-implementation/tree/atproto)
- References
- [`openssf_metrics.md`: WIP SCITT Use Case: Attestations of alignment to S2C2F…
-
From the README:
> If the repository initiating the GitHub Actions workflow is public, the public-good instance of Sigstore will be used to generate the attestation signature. If the repository is …
-
GitHub now has full support for Artifact Attestations: https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/
The feature supersedes our usage of SigStore (#156), si…
-
There are two parts to this:
+ [x] Publish science binaries with artifact attestation (see https://github.com/a-scie/ptex/pull/192 and https://github.com/a-scie/jump/pull/220 for examples).
+ [ ] Su…
-
## 📚 Context
### Problem:
Currently, there is a lack of visibility into the build process and contents of Docker images used in the project. This makes it challenging to assess the security ris…
-
### Problem Statement
As of v1.11, Kyverno verifies image signatures and attestations one at a time. The bulk of the time is taken in fetching data.
### Solution Description
Fetch signatures and at…
-
Once they are out of beta, we should use GitHub Attestations for our release assets.
https://github.blog/2024-05-02-introducing-artifact-attestations-now-in-public-beta/