089972db87
This will simplify secure installation of composer in GitHub Actions to two
calls to `gh` cli with no need to manually import any PGP signing keys:
gh release --repo composer/composer download --pattern composer.phar
gh attestation verify --repo composer/composer composer.phar
Given that the current PGP signing key is stored as a GitHub Action secret,
this type of attestation is no less secure than the existing PGP signing.
|
||
|---|---|---|
| .. | ||
| autoloader.yml | ||
| close-stale-support.yml | ||
| continuous-integration.yml | ||
| lint.yml | ||
| phpstan.yml | ||
| release.yml | ||