gh-gei icon indicating copy to clipboard operation
gh-gei copied to clipboard
verified publisher icon github

[Request] Enable Immutable Releases

Open jkylekelly opened this issue 5 months ago • 4 comments

👋 Hi there!

We're the Package Security team at GitHub. We recently staff shipped immutable releases, a feature designed to improve supply chain security by preventing modifications to published releases.

We noticed that gh-gei is actively using GitHub Releases, and wanted to ask if you'd consider enabling immutability for your releases. This can be done with a simple checkbox in your repository's Settings > General > Enable release immutability.

If you have any concerns, blockers, or reasons for not enabling this feature, we'd love to hear about them! Your feedback helps us better understand real-world needs and improve our offerings.

For more details or discussion, please see: https://github.com/github/security-products/discussions/1883

Thanks for helping keep the ecosystem secure!

jkylekelly avatar Jul 11 '25 16:07 jkylekelly

@jkylekelly That setting isn't available to me for this repo (I see it for other non-public GH repos).

Image

dylan-smith avatar Jul 11 '25 16:07 dylan-smith

Hey @dylan-smith, apologies - should be available now!

jkylekelly avatar Jul 11 '25 16:07 jkylekelly

Done

dylan-smith avatar Jul 11 '25 19:07 dylan-smith

The 3rd party action we use to publish releases doesn't play nice with immutable releases, so I've turned it off for now.

Example publish failure: https://github.com/github/gh-gei/actions/runs/16352141307/job/46217584357

dylan-smith avatar Jul 17 '25 23:07 dylan-smith