review: doc: add SUPPLY-CHAIN.md

INRIA / spoon

Spoon is a metaprogramming library to analyze and transform Java source code. :spoon: is made with :heart:, :beers: and :sparkles:. It parses source files to build a well-designed AST with powerful analysis and transformation API.

http://spoon.gforge.inria.fr/

Other

1.76k stars 352 forks source link

review: doc: add SUPPLY-CHAIN.md #6063

Closed ludvigch closed 2 weeks ago

ludvigch commented 2 weeks ago

This PR adds documentation of the changes in #6016 as well as a short description on how to verify the attestations created during a release. I am a bit unsure if the manual verification process is relevant or if it suffices with the simpler method of using GitHub CLI to verify an attestation?

Addressing @monperrus suggestion

algomaster99 commented 2 weeks ago

@I-Al-Istannen @monperrus ready for merge from my side

monperrus commented 2 weeks ago

thanks a lot all.

further refined, will merge when CI is green.