geode icon indicating copy to clipboard operation
geode copied to clipboard

Published 20 hours ago verified publisher icon geode-sdk

(feature/buildsystem/actions): use artifact attestations for built releases

Open pauliesnug opened this issue 6 months ago • 1 comments
trafficstars

Geode Version

n/a

Related Problem

The current release and build GitHub actions are great, if not a little complex (might be better to make a script that automates the build process and just run the script for easy development but iuno). However, after the draft GitHub release is created, there is technically no guarantee that the artifacts haven't been tampered with from the GitHub release editor.

Your Solution

It's super easy to add that guarantee. There are quite a few Artifact Attestation GitHub actions, GitHub provides a bare-bones one, but there are some that integrate with CMake. This means that you can easily check the attestation against the file you download. (See this surprisingly informative GitHub blog post on SLSA for more information)

Additional Information

This is also achievable by matching up the official release commit with the last GitHub actions run on build and matching up the artifact SHA from the GitHub releases output and the GitHub actions output. This is finnicky and there's a better designated system for it.

pauliesnug avatar May 08 '25 18:05 pauliesnug