The zig team publishes signatures of their binaries generated with minisign; it would be nice if setup-zig made use of the signature files to verify the authenticity of the zig binaries. The zig team's public key can be found on https://ziglang.org/download/ . Minisign can be used through github actions via https://github.com/thomasdesr/minisign-action .
I'm making this issue because I am adding a build.zig to https://github.com/libui-ng/libui-ng - we'd like to use this action but we want the binary to be verified.
The zig team publishes signatures of their binaries generated with minisign; it would be nice if setup-zig made use of the signature files to verify the authenticity of the zig binaries. The zig team's public key can be found on https://ziglang.org/download/ . Minisign can be used through github actions via https://github.com/thomasdesr/minisign-action .
I'm making this issue because I am adding a build.zig to https://github.com/libui-ng/libui-ng - we'd like to use this action but we want the binary to be verified.