GitHub has released a new feature called Artifact Attestations, which allows for verifying the integrity of artifacts build via GitHub Actions.
This is an additional security and compliance feature, which allows for checking which workflow build the artifact and ensuring the artifact has not been tampered with after the generation via the workflow.
To me, this sounds like a good addition to the build process for release phars, so this commit implements attesting PHARs for releases.
To verify the phar files (after the next release, which will be the first to use this feature):
Download the PHAR file(s), either from "Releases", from the tag "Test" workflow run or via PHIVE.
If downloaded as a zipped artifact, unzip to get to the actual PHAR files.
Using the GitHub CLI tool, run the below command to verify:
Note: I've tested this by (temporary) commenting out the "releases only" condition and have succeeded in verifying the generated artifacts using the above steps.
The provenance of PHAR files associated with a release can now be verified via GitHub Artifact Attestations using the GitHub CLI tool with the following command: gh attestation verify [phpcs|phpcbf].phar -o PHPCSStandards
Note: this should probably also be mentioned in the README.
Description
GitHub has released a new feature called Artifact Attestations, which allows for verifying the integrity of artifacts build via GitHub Actions.
This is an additional security and compliance feature, which allows for checking which workflow build the artifact and ensuring the artifact has not been tampered with after the generation via the workflow.
To me, this sounds like a good addition to the build process for release phars, so this commit implements attesting PHARs for releases.
To verify the phar files (after the next release, which will be the first to use this feature):
Note: I've tested this by (temporary) commenting out the "releases only" condition and have succeeded in verifying the generated artifacts using the above steps.
References:
Suggested changelog entry
gh attestation verify [phpcs|phpcbf].phar -o PHPCSStandards
Note: this should probably also be mentioned in the README.