Skip to content

chore(actions): Add doc how to verify GH attestations with GitHub cli and verify release artifacts with Cosign #2846

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ViacheslavKudinov wants to merge 9 commits into
base: main
Choose a base branch
from
Open

chore(actions): Add doc how to verify GH attestations with GitHub cli and verify release artifacts with Cosign #2846

ViacheslavKudinov wants to merge 9 commits into from
+115 −0

Conversation

@ViacheslavKudinov
Copy link
Contributor

@ViacheslavKudinov ViacheslavKudinov commented Oct 29, 2025
edited
Loading

Resolves #NaN

Before the change?

  • There is no doc how to verify attestations

After the change?

Pull request checklist

  • Schema migrations have been created if needed (example)
  • Tests for the changes have been added (for bug fixes / features)
  • Docs have been reviewed and added / updated if needed (for bug fixes / features)

Does this introduce a breaking change?

Please see our docs on breaking changes to help!

  • Yes
  • No

@ViacheslavKudinov ViacheslavKudinov force-pushed the maintenance/add-attestation branch from 10dbe42 to cc98a12 Compare October 29, 2025 23:50
@ViacheslavKudinov
Add GH attestation on release
4d2ad53 
Signed-off-by: Viacheslav Kudinov <[email protected]>
@ViacheslavKudinov ViacheslavKudinov force-pushed the maintenance/add-attestation branch from cc98a12 to 4d2ad53 Compare October 29, 2025 23:50
@ViacheslavKudinov ViacheslavKudinov marked this pull request as ready for review October 29, 2025 23:52
@ViacheslavKudinov ViacheslavKudinov mentioned this pull request Oct 29, 2025
Open
5 tasks
@ViacheslavKudinov
Copy link
Contributor Author

ViacheslavKudinov commented Oct 30, 2025
edited
Loading

Any known thing why we may regret by adding attestation?

Just loudly thinking if anything we need to consider

@ViacheslavKudinov ViacheslavKudinov changed the title chore(Actions): Add GH attestation on release process chore(actions): Add GH attestation on release process Nov 1, 2025
@nickfloyd nickfloyd added this to the v7 Next milestone Nov 20, 2025
@nickfloyd nickfloyd moved this from Backlog to On Deck in Terraform Provider Nov 20, 2025
@github-actions github-actions bot added the Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR label Nov 23, 2025
@ViacheslavKudinov ViacheslavKudinov changed the title chore(actions): Add GH attestation on release process chore(actions): Add doc how to verify GH attestations Dec 8, 2025
@ViacheslavKudinov
Copy link
Contributor Author

ViacheslavKudinov commented Dec 8, 2025

@nickfloyd @stevehipwell I've updated PR to resolve conflicts after workflows were updated.
Now it includes only doc how to do verification of attestations.

Please, feel free to suggest any updates.

stevehipwell
stevehipwell requested changes Dec 9, 2025
View reviewed changes
Copy link
Collaborator

@stevehipwell stevehipwell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it be possible to add the cosign equivalents of the gh commands? We also ought to provide the command to verify the SHA256SUMS file signature.

@ViacheslavKudinov ViacheslavKudinov force-pushed the maintenance/add-attestation branch from c992315 to 56c8a2e Compare December 10, 2025 21:47
@ViacheslavKudinov ViacheslavKudinov changed the title chore(actions): Add doc how to verify GH attestations chore(actions): Add doc how to verify GH attestations with GitHub cli and verify release artifacts with Cosign Dec 10, 2025
@ViacheslavKudinov ViacheslavKudinov force-pushed the maintenance/add-attestation branch from 56c8a2e to 17126dc Compare December 10, 2025 21:54
@ViacheslavKudinov ViacheslavKudinov force-pushed the maintenance/add-attestation branch from 17126dc to 00de37c Compare December 10, 2025 22:02
@ViacheslavKudinov
Copy link
Contributor Author

ViacheslavKudinov commented Dec 11, 2025

@stevehipwell i've updated doc.
It is not exactly equivalents as with Cosign is only signed checksum file,
but anyway i tried to cover what we can do with current settings to verify the SHA256SUMS file signature and then with checksum the artifact(s).

Please, let me know if something else was expected or i've missed.

stevehipwell
stevehipwell requested changes Dec 12, 2025
View reviewed changes
Copy link
Collaborator

@stevehipwell stevehipwell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added some comments, note that you can also verify the attestations with cosign.

ViacheslavKudinov and others added 2 commits December 12, 2025 17:11
@ViacheslavKudinov @stevehipwell
Update VERIFY_ATTESTATIONS.md
d032e0a 
Co-authored-by: Steve Hipwell <[email protected]>
@ViacheslavKudinov @stevehipwell
Update VERIFY_ATTESTATIONS.md
199e2e6 
Co-authored-by: Steve Hipwell <[email protected]>
@ViacheslavKudinov @stevehipwell
Update VERIFY_ATTESTATIONS.md
3e4e256 
Co-authored-by: Steve Hipwell <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stevehipwell stevehipwell stevehipwell requested changes

+1 more reviewer

@deiga deiga deiga approved these changes

Reviewers whose approvals may not affect merge requirements

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

Type: Maintenance Any dependency, housekeeping, and clean up Issue or PR

Projects

Terraform Provider
Status: On Deck

Milestone

v7 Next

Development

Successfully merging this pull request may close these issues.

4 participants

@ViacheslavKudinov @deiga @stevehipwell @nickfloyd