Skip to content

Implement build provenance attestations before release creation#115

Merged
anoncam merged 8 commits intomainfrom
copilot/implement-immutable-releases
Feb 28, 2026
Merged

Implement build provenance attestations before release creation#115
anoncam merged 8 commits intomainfrom
copilot/implement-immutable-releases

Conversation

Copy link
Contributor

Copilot AI commented Feb 27, 2026
edited
Loading

Build provenance attestations must be created before publishing releases to ensure proper artifact association at publication time.

Changes

  • Workflow order corrected: Attestation steps (lines 509-517) now execute before Create GitHub Release (line 519)
  • Documentation updated: All references changed from conditional ("can be immutable when enabled") to declarative ("are immutable") since immutability is enabled in repository settings

Implementation

- name: Attest build provenance for SBOM
  uses: actions/attest-build-provenance@v2
  with:
    subject-path: ./bom.json

- name: Attest build provenance for build artifacts
  uses: actions/attest-build-provenance@v2
  with:
    subject-path: 'dist/*'

- name: Create GitHub Release  # Attestations created first
  uses: softprops/action-gh-release@v2

Attestations are cryptographically signed and verifiable via gh attestation verify.

Original prompt

This section details on the original issue you should resolve

<issue_title>Implement Immutable Releases</issue_title>
<issue_description>https://github.blog/changelog/2025-10-28-immutable-releases-are-now-generally-available/</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI and others added 2 commits February 27, 2026 17:03
@anoncam
Add immutable releases support with build provenance attestations
8f09d17 
Co-authored-by: anoncam <46797044+anoncam@users.noreply.github.com>
@anoncam
Fix backtick escaping in release notes generation
3fdc0bf 
Co-authored-by: anoncam <46797044+anoncam@users.noreply.github.com>
Copilot AI changed the title [WIP] Add support for immutable releases Implement immutable releases with build provenance attestations Feb 27, 2026
@anoncam anoncam marked this pull request as ready for review February 27, 2026 18:08
@anoncam anoncam requested a review from Copilot February 27, 2026 18:08
Copilot AI reviewed Feb 27, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request implements GitHub's Immutable Releases feature with build provenance attestations to enhance supply chain security for DedPaste releases. The changes add cryptographic attestation generation to the release workflow and provide comprehensive documentation for users to verify release authenticity.

Changes:

  • Added attestations: write permission and build provenance attestation steps using actions/attest-build-provenance@v2 to the release workflow
  • Updated release notes generation to include verification instructions for attestations
  • Added verification section to README.md with examples of using gh attestation verify
  • Created comprehensive RELEASE-PROCESS.md documentation covering the full release process, attestation verification, and troubleshooting

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
.github/workflows/release-with-sbom.yml Added attestation permissions and attestation steps for SBOM and build artifacts; updated release notes to include verification instructions
README.md Added verification section demonstrating how to verify release artifacts using GitHub CLI attestation commands
docs/RELEASE-PROCESS.md New comprehensive documentation explaining the release process, immutable releases feature, attestation implementation, verification steps, and troubleshooting guidance

Copilot AI and others added 4 commits February 28, 2026 00:20
@anoncam
Address PR review feedback: move attestations before release, clarify…
920ab99 
… immutability settings

Co-authored-by: anoncam <46797044+anoncam@users.noreply.github.com>
@anoncam
Improve readability by breaking long sentence into two sentences
0e0ff40 
Co-authored-by: anoncam <46797044+anoncam@users.noreply.github.com>
@anoncam
Polish documentation for better clarity and conciseness
9ef8fa1 
Co-authored-by: anoncam <46797044+anoncam@users.noreply.github.com>
@anoncam
Final wording improvement: clarify immutability as user action
6ded19b 
Co-authored-by: anoncam <46797044+anoncam@users.noreply.github.com>
@anoncam anoncam added the enhancement New feature or request label Feb 28, 2026
@anoncam
Update documentation to reflect enabled immutability
a51fc51 
Co-authored-by: anoncam <46797044+anoncam@users.noreply.github.com>
Copilot AI changed the title Implement immutable releases with build provenance attestations Reflect active immutability in release documentation Feb 28, 2026
Copilot AI changed the title Reflect active immutability in release documentation Implement build provenance attestations before release creation Feb 28, 2026
@anoncam anoncam merged commit 7cbc3d7 into main Feb 28, 2026
4 checks passed
@anoncam anoncam deleted the copilot/implement-immutable-releases branch February 28, 2026 00:38
github-actions bot added a commit that referenced this pull request Feb 28, 2026
@github-actions
Bump version to 1.24.1
ffca391 
Version bump type: patch
PR: #115
Title: Implement build provenance attestations before release creation
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@anoncam anoncam anoncam left review comments

Copilot code review Copilot Copilot left review comments

Assignees

@anoncam anoncam

Copilot code review Copilot

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Implement Immutable Releases

3 participants

@anoncam