thepwagner
commented
3 months ago We use goreleaser now.
https://github.com/shopify/hansel uses sigstore, we could copy that pattern.
GitHub's new attestations are pretty great - we should use them!
Closed berlincount closed 3 months ago
thepwagner
commented
3 months ago We use goreleaser now.
https://github.com/shopify/hansel uses sigstore, we could copy that pattern.
GitHub's new attestations are pretty great - we should use them!
The release process is typically only run from dev (e.g. my) machines, so there's no natural place (i.e. shipit) for credentials to live. If anyone (e.g. you) wants to take a run at it, it shouldn't be terribly hard to build a shipit-ified release process with signing.
It's not high on my priority list though: I'm not likely to get to it soon.