GitHub Artifact Attestations
github.blogNot sure if this works with artifacts pushed to GHCR (Github Container Registry), for example Docker containers. I think not.
But it's still a good step towards more integrity in the software supply chain.
We’re thrilled to announce the general availability of GitHub Artifact Attestations! Artifact Attestations allow you to guarantee the integrity of artifacts built inside GitHub Actions by creating and verifying signed attestations.It does!, as long as it was _built_ inside Actions (source: am one of the authors).
I see it in the readme now, interesting!
A question out of curiosity:
Would you say that this is still a good fit for company-internal docker images?
I.e. a packaged rails app that's deployed in production using docker (to basically verify that we only deploy images built in CI [Github Actions])
Or would something more lightweight, like the Notary project[1], be a better fit for internal use?
(I know signing and provenance are different things, though for internal purposes, we can kind of infer provenance from just seeing a signed container, assuming we've locked down the build environment properly)
[1] https://notaryproject.dev/docs/quickstart-guides/quickstart-...