Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Verify packages using GitHub Artifact Attestations #3118

Closed
suzuki-shunsuke opened this issue Sep 23, 2024 · 1 comment · Fixed by #3119
Closed

Verify packages using GitHub Artifact Attestations #3118

suzuki-shunsuke opened this issue Sep 23, 2024 · 1 comment · Fixed by #3119
Labels
enhancement New feature or request
Milestone
v2.35.0

Comments

@suzuki-shunsuke
Copy link
Member

suzuki-shunsuke commented Sep 23, 2024
edited
Loading

Feature Overview

Verify packages using GitHub Artifact Attestations.

Why is the feature needed?

To install packages securely.

Workaround

No response

Example Code

Similar to Cosign and SLSA Provenance.

https://aquaproj.github.io/docs/reference/security/cosign-slsa

packages:
  - type: github_release
    repo_owner: terraform-linters
    repo_name: tflint
    asset: tflint_{{.OS}}_{{.Arch}}.{{.Format}}
    format: zip
    github_artifact_attestations:
      signer-workflow: terraform-linters/tflint/.github/workflows/release.yml

Note
@suzuki-shunsuke suzuki-shunsuke added the enhancement New feature or request label Sep 23, 2024
@suzuki-shunsuke suzuki-shunsuke mentioned this issue Sep 23, 2024
Closed
@suzuki-shunsuke suzuki-shunsuke pinned this issue Sep 23, 2024
@suzuki-shunsuke
Copy link
Member Author

Seems like tflint provides GitHub Artifact Attestations.

@suzuki-shunsuke suzuki-shunsuke mentioned this issue Sep 23, 2024
Merged
@suzuki-shunsuke suzuki-shunsuke added this to the v2.34.1 milestone Sep 23, 2024
@suzuki-shunsuke suzuki-shunsuke unpinned this issue Sep 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
v2.35.0
Development

Successfully merging a pull request may close this issue.

feat: verify GitHub Artifact Attestations aquaproj/aqua
1 participant
@suzuki-shunsuke