Skip to content

Generate GitHub Artifact Attestations #174

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Apr 8, 2025
Merged

Generate GitHub Artifact Attestations #174

merged 2 commits into from
Apr 8, 2025

Conversation

suzuki-shunsuke
Copy link
Contributor

@suzuki-shunsuke suzuki-shunsuke commented Apr 8, 2025
edited
Loading

Closes: #173

Test

I pushed a tag v0.1.2-0 to the fork repository https://github.com/suzuki-shunsuke/github-mcp-server and confirmed attestations were generated.

https://github.com/suzuki-shunsuke/github-mcp-server/actions/runs/14326892487/job/40153957850
https://github.com/suzuki-shunsuke/github-mcp-server/attestations/6157885

gh release download -R suzuki-shunsuke/github-mcp-server v0.1.2-0
while read -r asset; do
  echo "$asset"
  gh attestation verify "$asset" \
    -R suzuki-shunsuke/github-mcp-server \
    --signer-workflow suzuki-shunsuke/github-mcp-server/.github/workflows/goreleaser.yml
done < <(ls)
Result 
github-mcp-server_0.1.2-0_checksums.txt
Loaded digest sha256:6aa7d0c3c21532ed26b2685bc2cbe4275390b949e2b0402e259ccca9bbc32165 for file://github-mcp-server_0.1.2-0_checksums.txt
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/suzuki-shunsuke
- Source Repository URI must match:......... https://github.com/suzuki-shunsuke/github-mcp-server
- Subject Alternative Name must match regex: ^https://github.com/suzuki-shunsuke/github-mcp-server/.github/workflows/goreleaser.yml
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... suzuki-shunsuke/github-mcp-server
  - Build workflow:. .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0
  - Signer repo:.... suzuki-shunsuke/github-mcp-server
  - Signer workflow: .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0

github-mcp-server_Darwin_arm64.tar.gz
Loaded digest sha256:5e1ddf9643eef2a665e0941d1158e9c20866cce60ea9de72f7434e1a030e0f99 for file://github-mcp-server_Darwin_arm64.tar.gz
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/suzuki-shunsuke
- Source Repository URI must match:......... https://github.com/suzuki-shunsuke/github-mcp-server
- Subject Alternative Name must match regex: ^https://github.com/suzuki-shunsuke/github-mcp-server/.github/workflows/goreleaser.yml
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... suzuki-shunsuke/github-mcp-server
  - Build workflow:. .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0
  - Signer repo:.... suzuki-shunsuke/github-mcp-server
  - Signer workflow: .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0

github-mcp-server_Darwin_x86_64.tar.gz
Loaded digest sha256:0b0966754489a66c42b307fcc6aa2b66a6f75be2ea5f7d0375a3b52f555f7ad1 for file://github-mcp-server_Darwin_x86_64.tar.gz
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/suzuki-shunsuke
- Source Repository URI must match:......... https://github.com/suzuki-shunsuke/github-mcp-server
- Subject Alternative Name must match regex: ^https://github.com/suzuki-shunsuke/github-mcp-server/.github/workflows/goreleaser.yml
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... suzuki-shunsuke/github-mcp-server
  - Build workflow:. .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0
  - Signer repo:.... suzuki-shunsuke/github-mcp-server
  - Signer workflow: .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0

github-mcp-server_Linux_arm64.tar.gz
Loaded digest sha256:9041a5241f5fc50917a135896e3938407523ac77581ac5cf737c82ebf1918de2 for file://github-mcp-server_Linux_arm64.tar.gz
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/suzuki-shunsuke
- Source Repository URI must match:......... https://github.com/suzuki-shunsuke/github-mcp-server
- Subject Alternative Name must match regex: ^https://github.com/suzuki-shunsuke/github-mcp-server/.github/workflows/goreleaser.yml
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... suzuki-shunsuke/github-mcp-server
  - Build workflow:. .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0
  - Signer repo:.... suzuki-shunsuke/github-mcp-server
  - Signer workflow: .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0

github-mcp-server_Linux_i386.tar.gz
Loaded digest sha256:1e403adddc50d5dfa4de8f5a8cb6fc233609fd5117dffe02e5556f90db35f080 for file://github-mcp-server_Linux_i386.tar.gz
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/suzuki-shunsuke
- Source Repository URI must match:......... https://github.com/suzuki-shunsuke/github-mcp-server
- Subject Alternative Name must match regex: ^https://github.com/suzuki-shunsuke/github-mcp-server/.github/workflows/goreleaser.yml
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... suzuki-shunsuke/github-mcp-server
  - Build workflow:. .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0
  - Signer repo:.... suzuki-shunsuke/github-mcp-server
  - Signer workflow: .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0

github-mcp-server_Linux_x86_64.tar.gz
Loaded digest sha256:5a61ef459e5898673ca60a63e4fdb314069f4d6bf5a84ffcd5df6327cfc08138 for file://github-mcp-server_Linux_x86_64.tar.gz
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/suzuki-shunsuke
- Source Repository URI must match:......... https://github.com/suzuki-shunsuke/github-mcp-server
- Subject Alternative Name must match regex: ^https://github.com/suzuki-shunsuke/github-mcp-server/.github/workflows/goreleaser.yml
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... suzuki-shunsuke/github-mcp-server
  - Build workflow:. .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0
  - Signer repo:.... suzuki-shunsuke/github-mcp-server
  - Signer workflow: .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0

github-mcp-server_Windows_arm64.zip
Loaded digest sha256:e417ac4d61363dff027dfa33dbda35064e4ac4b55f42aa1ce30a14c665463226 for file://github-mcp-server_Windows_arm64.zip
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/suzuki-shunsuke
- Source Repository URI must match:......... https://github.com/suzuki-shunsuke/github-mcp-server
- Subject Alternative Name must match regex: ^https://github.com/suzuki-shunsuke/github-mcp-server/.github/workflows/goreleaser.yml
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... suzuki-shunsuke/github-mcp-server
  - Build workflow:. .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0
  - Signer repo:.... suzuki-shunsuke/github-mcp-server
  - Signer workflow: .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0

github-mcp-server_Windows_i386.zip
Loaded digest sha256:5909afabcfc4a09070ac358cc0e702cc212142ff8058770bb617c45ea5cce7d5 for file://github-mcp-server_Windows_i386.zip
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/suzuki-shunsuke
- Source Repository URI must match:......... https://github.com/suzuki-shunsuke/github-mcp-server
- Subject Alternative Name must match regex: ^https://github.com/suzuki-shunsuke/github-mcp-server/.github/workflows/goreleaser.yml
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... suzuki-shunsuke/github-mcp-server
  - Build workflow:. .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0
  - Signer repo:.... suzuki-shunsuke/github-mcp-server
  - Signer workflow: .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0

github-mcp-server_Windows_x86_64.zip
Loaded digest sha256:127dc1d04cbdae292dc6540963d3e0fa4e4468c8f37b66436c5dd853f07420ea for file://github-mcp-server_Windows_x86_64.zip
Loaded 1 attestation from GitHub API

The following policy criteria will be enforced:
- Predicate type must match:................ https://slsa.dev/provenance/v1
- Source Repository Owner URI must match:... https://github.com/suzuki-shunsuke
- Source Repository URI must match:......... https://github.com/suzuki-shunsuke/github-mcp-server
- Subject Alternative Name must match regex: ^https://github.com/suzuki-shunsuke/github-mcp-server/.github/workflows/goreleaser.yml
- OIDC Issuer must match:................... https://token.actions.githubusercontent.com

✓ Verification succeeded!

The following 1 attestation matched the policy criteria

- Attestation #1
  - Build repo:..... suzuki-shunsuke/github-mcp-server
  - Build workflow:. .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0
  - Signer repo:.... suzuki-shunsuke/github-mcp-server
  - Signer workflow: .github/workflows/goreleaser.yml@refs/tags/v0.1.2-0

Note

@Copilot Copilot AI review requested due to automatic review settings April 8, 2025 06:35
Copilot
Copilot AI reviewed Apr 8, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 1 out of 1 changed files in this pull request and generated no comments.

suzuki-shunsuke
suzuki-shunsuke commented Apr 8, 2025
View reviewed changes
.github/workflows/goreleaser.yml
Comment on lines +8 to +9
id-token: write
attestations: write
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These permissions are required.
https://github.com/actions/attest-build-provenance?tab=readme-ov-file#usage

@suzuki-shunsuke suzuki-shunsuke mentioned this pull request Apr 8, 2025
Closed
@SamMorrowDrums SamMorrowDrums merged commit 923e1b0 into github:main Apr 8, 2025
9 checks passed
@github-project-automation github-project-automation bot moved this to Done in main Apr 8, 2025
@SamMorrowDrums
Copy link
Collaborator

Thanks very much.

@suzuki-shunsuke suzuki-shunsuke deleted the github-artifact-attestations branch April 8, 2025 08:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@SamMorrowDrums SamMorrowDrums SamMorrowDrums approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Generate GitHub Artifact Attestations
2 participants
@suzuki-shunsuke @SamMorrowDrums