Consider adding SLSA provenance to releases

[udf2457]

Please consider adding SLSA provenance to your releases.

Some examples of using Github and goreleaser:

https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/generic/README.md#provenance-for-goreleaser https://goreleaser.com/blog/slsa-generation-for-your-artifacts/#slsa-github-generator

Background info: https://docs.sigstore.dev/signing/overview/

[joe-elliott]

Thanks for the suggestion. I am not opposed to this if you (or anyone else) would like to attempt a PR.

[udf2457]

Thanks @joe-elliott , I am tied down with $work at the moment until (at least) July/August.

But if I get a chance I might experiment with a PR, I also see Github have just (2 May) announced something that might potentially simplify the process even further: https://github.blog/changelog/2024-05-02-artifact-attestations-public-beta/

Meanwhile, as you say, if anyone else wants to help...

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had any activity in the past 60 days. The next time this stale check runs, the stale label will be removed if there is new activity. The issue will be closed after 15 days if there is no new activity. Please apply keepalive label to exempt this Issue.