PHPCSStandards / PHP_CodeSniffer

PHP_CodeSniffer tokenizes PHP files and detects violations of a defined set of coding standards.
BSD 3-Clause "New" or "Revised" License
937 stars 56 forks source link

GH Actions: provide attestations for release PHAR files #574

Closed jrfnl closed 3 months ago

jrfnl commented 3 months ago

Description

GitHub has released a new feature called Artifact Attestations, which allows for verifying the integrity of artifacts build via GitHub Actions.

This is an additional security and compliance feature, which allows for checking which workflow build the artifact and ensuring the artifact has not been tampered with after the generation via the workflow.

To me, this sounds like a good addition to the build process for release phars, so this commit implements attesting PHARs for releases.

To verify the phar files (after the next release, which will be the first to use this feature):

Note: I've tested this by (temporary) commenting out the "releases only" condition and have succeeded in verifying the generated artifacts using the above steps.

References:

Suggested changelog entry

Note: this should probably also be mentioned in the README.

jrfnl commented 3 months ago

Rebased without changes. Merging once the build has passed.