GitHub

Harden the software supply chain and release pipeline to ensure artifact integrity from build through deployment. This milestone implements SLSA-aligned build provenance, dependency pinning and verification, container image signing, release artifact attestation, and reproducible build configurations. These controls protect downstream consumers and satisfy enterprise procurement security requirements.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

v2.8.0 — Supply Chain Security & Release Integrity

[FEATURE] Replace SLSA attestation with enterprise-compliant actions/attest

ci(security): establish security review gate via CODEOWNERS, PR template, and label

ci(release): implement Sigstore keyless signing for release tags

ci(containers): add GitHub-native attestation for container images

ci(provenance): standardize SLSA L3 provenance across workflows

docs(security): create docs/security/ consumer verification documentation

ci(security): SHA-pin slsa-framework/slsa-github-generator in pages-deploy.yml