GitHub has introduced Artifact Attestations, a software signing and verification feature based on Sigstore that protects the integrity of software builds in GitHub Actions workflows. Artifiact Attestations is now available in a public beta.
Announced May 2, Artifact Attestations allows project maintainers to create a “tamper-proof, unforgeable paper trail” that links software artifacts to the process that created them. “Downstream consumers of this metadata can use it as a foundation for new security and validity checks through policy evaluations via tools like Rego and Cue,” GitHub wrote in the announcement.