public-mirrors
/
composer
mirror of https://github.com/composer/composer
1
0
Fork 0
Code

Generate build provenance attestation during release 

This will simplify secure installation of composer in GitHub Actions to two
calls to `gh` cli with no need to manually import any PGP signing keys:

    gh release --repo composer/composer download --pattern composer.phar
    gh attestation verify --repo composer/composer composer.phar

Given that the current PGP signing key is stored as a GitHub Action secret,
this type of attestation is no less secure than the existing PGP signing.
pull/12258/head
Tim Düsterhus 2025-01-02 15:43:33 +01:00
parent b89036c1f8
commit 089972db87
No known key found for this signature in database
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/release.yml vendored
View File

@ -15,6 +15,8 @@ jobs:
build: build:
permissions: permissions:
contents: write # for actions/create-release to create a release contents: write # for actions/create-release to create a release
id-token: write # for actions/attest-build-provenance to create a attestation certificate
attestations: write # for actions/attest-build-provenance to upload the attestation
name: Upload Release Asset name: Upload Release Asset
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
@ -41,6 +43,11 @@ jobs:
- name: Build phar file - name: Build phar file
run: "php -d phar.readonly=0 bin/compile" run: "php -d phar.readonly=0 bin/compile"
- name: Generate build provenance attestation
uses: actions/attest-build-provenance@v2
with:
subject-path: '${{ github.workspace }}/composer.phar'
- name: Create release - name: Create release
id: create_release id: create_release
uses: actions/create-release@v1 uses: actions/create-release@v1