Add NuGet package attestations using GitHub provenance#3119
Conversation
Test Results 37 files ±0 37 suites ±0 2m 55s ⏱️ +18s Results for commit 518a9fc. ± Comparison against base commit 2ff081c. This pull request removes 10 and adds 8 tests. Note that renamed tests count towards both.♻️ This comment has been updated with latest results. |
Pull Request Test Coverage Report for Build 19192192660Details
💛 - Coveralls |
Qodana for .NETIt seems all right 👌 No new problems were found according to the checks applied 💡 Qodana analysis was run in the pull request mode: only the changed files were checked Contact Qodana teamContact us at qodana-support@jetbrains.com
|
66b076d to
34b4022
Compare
jnyrup
left a comment
There was a problem hiding this comment.
I've got no experience with attestation but it seems like a good thing to do.
What triggered you to enable this?
I only read this blog post so far.
https://andrewlock.net/creating-provenance-attestations-for-nuget-packages-in-github-actions/
This suggestion was the trigger dennisdoomen/dotnet-library-starter-kit#35 |
Co-authored-by: dennisdoomen <572734+dennisdoomen@users.noreply.github.com>
34b4022 to
518a9fc
Compare
Closes #[issue_number]
Adds cryptographically signed provenance attestations to NuGet packages on release, enabling consumers to verify package authenticity and build integrity.
Changes
id-token: writeandattestations: writeto build job for OIDC and attestation generation.nupkgexistence before attestation (tag pushes only)actions/attest-build-provenance@v2for all packages inArtifacts/Attestations are created after package build and before upload, only on tag pushes when packages exist.
Original prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.