public-mirrors
/
composer
mirror of https://github.com/composer/composer
1
0
Fork 0
Code
composer/.github
History
Tim Düsterhus 089972db87
Generate build provenance attestation during release 
This will simplify secure installation of composer in GitHub Actions to two
calls to `gh` cli with no need to manually import any PGP signing keys:

    gh release --repo composer/composer download --pattern composer.phar
    gh attestation verify --repo composer/composer composer.phar

Given that the current PGP signing key is stored as a GitHub Action secret,
this type of attestation is no less secure than the existing PGP signing.
 		2025-01-08 15:46:13 +01:00
..
workflows Generate build provenance attestation during release 2025-01-08 15:46:13 +01:00
CONTRIBUTING.md CONTRIBUTING: remove outdated suggestion (#11600) 2023-08-30 14:09:14 +02:00
ISSUE_TEMPLATE.md Update ISSUE_TEMPLATE.md 2021-06-09 09:47:37 +02:00
dependabot.yml chore: Included githubactions in the dependabot config (#10900) 2022-06-28 20:32:45 +02:00
pull_request_template.md Update pull_request_template.md 2022-08-17 17:43:21 +02:00