dalec icon indicating copy to clipboard operation
dalec copied to clipboard
Published 1 month ago • verified publisher icon project-dalec

[REQ] Sign release artifacts

Open cpuguy83 opened this issue 2 months ago • 2 comments

What kind of request is this?

Improvement of existing experience

What is your request or suggestion?

The release artifacts from this repo are not currently signed. The only artifacts we currently produce are container images. While image signing isn't exactly standardized, we can take some existing patterns from the community to do that signing.

As an example, cosign can be used to sign images with OIDC tokens from github actions.

Are you willing to submit PRs to contribute to this feature request?

  • [ ] Yes, I am willing to implement it.

cpuguy83 avatar Oct 27 '25 18:10 cpuguy83

example flow to sign and verify: https://github.com/kaito-project/aikit/blob/main/.github/workflows/release.yaml

sozercan avatar Oct 27 '25 20:10 sozercan

we can also use the github attest action https://github.com/actions/attest

sozercan avatar Oct 27 '25 20:10 sozercan