Comment by wlamartin

2 years ago

Ah, I think you might be pleasantly surprised that this is an area being focused on right now with attestations[1] for example, here are the attestations for the GitHub CLI[2].

1: https://github.blog/2024-05-02-introducing-artifact-attestat...

2: https://github.com/cli/cli/attestations

1 comment

wlamartin

Reply
g-b-r  2 years ago

Maybe this whole cryptographic stuff has some use, but all that which was needed was for GitHub to declare when a file was uploaded manually and when by a workflow (specifying which workflow).

This looks so complex that it might well be just smoke and mirrors