Open benjyw opened 3 months ago
PEX did so here: https://github.com/pex-tool/pex/pull/2442
This would be great. Once we're publishing them, we can then augment scie-pants to check them, and achieve stronger supply-chain assurance.
(If we do something similar for the scie-pants binary itself and also #20166 , then I think we'll have "end-to-end" assurance for someone running Pants.)
See
https://github.blog/changelog/2024-06-25-artifact-attestations-is-generally-available/
and
https://docs.github.com/en/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds