Open ilia-shipitsin opened 9 months ago
Could you give a bit more info on what you want to checksum? Is it the codeql-action itself? The CodeQL CLI? Both?
@ilia-shipitsin since we have multiple artifacts (one artifact for each of the 3 major OSes, and one "universal" artifact) do you have a preference between the following options?
gh
CLI does for example)The standard unix model is one signature per file, since it enables wget $url{,.sig}
.
Hello,
github runner images team here. we are looking for securing supply chains when adding software to CI images.
are there checksum available ? or maybe some recommended validation approach.
thanks!