GitHub Artifact Attestations

I'm personally really excited for this feature: one of the hard lessons around any sort of digital signing is that users do not manage or store their keys correctly, and that poor UX/DX around signing tools (most notably GPG) leads to pervasive normalization of deviance around unsafe practices. Lifting digital signing to the identity later (i.e. by binding it to a digital identity that can be provably controlled, like a GitHub repository) sidesteps nearly all of these problems.