GitHub Artifact Attestations are generally available!

[tinaheidinger]

Hi,

I‘m excited to announce that GitHub Artifact Attestations are now generally available!

Artifact Attestations allow you to guarantee the integrity of artifacts built inside GitHub Actions by creating and verifying signed attestations. With this release, you can now build an admission controller using GitHub‘s distribution of the Sigstore Policy Controller to validate attestations directly within your Kubernetes clusters.

👀 Want to learn more? Check out these resources:

• Our changelog post with an overview of the new capabilities
• Documentation about using an admission controller to enforce artifact attestations in your Kubernetes cluster
• Where does your software really come from about software attestations

⁉️ Please feel free to post here for feedback or questions!

[tschwaerzl]

Hey, I just tried the attestation within my organization wich is on the 'Team' plan.

I get the following error in the GitHub Actions log:

Error: Failed to persist attestation: Feature not available for the *REDACTED* organization. To enable this feature, please upgrade the billing plan, or make this repository public. - https://docs.github.com/rest/repos/repos#create-an-attestation

I couldn't find any information about what plan level is the minimum. So I'm asking here: What plan level do I need to use this feature with a private repository?

[tinaheidinger]

Hi @tschwaerzl, attestations for private repositories requires a GitHub Enterprise Cloud license. Thank you for pointing this out, we'll revisit our documentation to make this more explicit!

[sstrullmyer]

Hi - Any chance you know whether (and/or rough ballpark when) GitHub Artifact Attestations will be made available in GHES?

Thank you in advance!

[tinaheidinger]

Hi @sstrullmyer, for us to leverage our root certificate authority and attest that a build is secure, it needs to take place on our systems. Due to the nature of the feature, it is not possible to offer it in an on-prem deployment.

[sstrullmyer]

Understood - thanks for the context and your reply!

[suzuki-shunsuke]

I have some feedback.

1. It would be helpful if we can see GitHub Release assets have attestations.

For example, tflint's checksums.txt has attestations, but we can't notice that from GitHub Releases.

• https://github.com/terraform-linters/tflint/releases/tag/v0.53.0
• https://github.com/terraform-linters/tflint/attestations

So we can't notice easily that we can verify assets using attestations.

[suzuki-shunsuke]

2. The Web UI of attestations is a bit hard to find

Actions > Attestions

I'm not sure why Attestation is under Actions.
I think Attestations is independent of Actions.

The Web UI of attestations is a bit hard to find. It's helpful if we can find it more easily.

[suzuki-shunsuke]

Is there any way to verify the branch or tag creating artifacts?

For example, I want to verify the release tag which created assets.

The asset hello was created by the tag v0.1.0-3.

https://github.com/suzuki-shunsuke/test-github-artifact-attestation/releases/tag/v0.1.0-3

I want to verify if the downloaded artifact was really created by the tag v0.1.0-3.

[tinaheidinger]

@suzuki-shunsuke Thank you for the feedback, and apologies for the late reply! We'll iterate on the UI, so stay tuned for some updates there. Attesting releases is something we're actively looking into: github/roadmap#943

[charlie-goldenowl]

❤️ ❤️ ❤️❤️ ❤️ ❤️❤️ ❤️ ❤️❤️ ❤️ ❤️