-
-
Notifications
You must be signed in to change notification settings - Fork 9.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add attestation to installer #17827
Conversation
Actually, we do docker too. Not sure if that can have attestation? |
Like a docker image? I believe those can have attestations as well (anything that's an OCI blob can), although I haven't played with that part of GH attestations as much. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, thanks @SMillerDev! IMO docs on brew.sh for verifying this would be nice, although arguably most users won't have gh
to verify it with until after they install brew
...
Co-authored-by: Patrick Linnane <patrick@linnane.io>
This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. |
I changed the docker attestation to only run on tags. It might be good to make it continue on errors. |
I think it'd be good to always attest, partly because I'm not sure I understand why it would fail without and partly to ensure this PR passes before merging 😁
I'd rather we didn't add this functionality if we think it's likely to fail. |
It's an annoying docker thing. The attestation uses the package digest. But there is no package digest before it's uploaded somewhere. And we don't upload without a tag. So there are two solutions to this:
Not particularly. I just have no way to test it. |
Do we (n)ever upload the
This seems reasonable, I'm just concerned (kinda like At least if it's |
We don't, it surprised me a bit too.
Yeah, I share your concern there. I'm fine having a look on tags, or changing it to upload for protected branches too. |
Just checked: we do. It's just in |
Yeah, we can attest those to try and then expand it after. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense, thanks! Some tiny naming tweaks then good to 🚢 and keep an eye on this.
Co-authored-by: Mike McQuaid <mike@mikemcquaid.com>
brew style
with your changes locally?brew typecheck
with your changes locally?brew tests
with your changes locally?We have one more artifact that's compiled by us that we can add attestation for.