fix(security): add artifact attestation for signed releases#257
Merged
WilliamBerryiii merged 4 commits intomainfrom Jan 25, 2026
Merged
fix(security): add artifact attestation for signed releases#257WilliamBerryiii merged 4 commits intomainfrom
WilliamBerryiii merged 4 commits intomainfrom
Conversation
Contributor
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #257 +/- ##
==========================================
+ Coverage 28.80% 28.81% +0.01%
==========================================
Files 14 14
Lines 2736 2738 +2
==========================================
+ Hits 788 789 +1
- Misses 1948 1949 +1
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds GitHub Artifact Attestations to the release workflow, implementing cryptographic signing of VSIX release artifacts using Sigstore to meet OSSF Best Practices requirements for signed releases. The changes enable verifiable build provenance for all GitHub Release artifacts.
Changes:
- Added new
attest-and-uploadjob to the main workflow that downloads, attests, and uploads VSIX artifacts to GitHub Releases - Documented the verification process in SECURITY.md with step-by-step instructions for users to verify release integrity using the GitHub CLI
- Configured necessary OIDC permissions (
id-token: write,attestations: write,contents: write) for Sigstore integration
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
.github/workflows/main.yml |
Adds the attest-and-upload job with artifact download, Sigstore attestation, and GitHub Release upload steps |
SECURITY.md |
Documents verification steps for release integrity checking and provides a comparison table of signed artifacts across distribution channels |
ca259ff to
1f47ab9
Compare
agreaves-ms
approved these changes
Jan 24, 2026
- add attest-and-upload job to main.yml workflow - configure Sigstore permissions for OIDC token - document verification process in SECURITY.md 🔒 - Generated by Copilot
- restructure extension-package-release job to run only when release_created is true - pass correct version from release-please outputs to packaging workflow - update workflow documentation and mermaid diagram - fix SECURITY.md table alignment per review feedback 📦 - Generated by Copilot
12fb64b to
63f61f2
Compare
- update attest-and-upload job to use download-artifact@v7.0.0 - add download-artifact@v7 entry to SHA pinning map 🔧 - Generated by Copilot
13 tasks
WilliamBerryiii
pushed a commit
that referenced
this pull request
Jan 28, 2026
🤖 I have created a release *beep* *boop* --- ## [2.0.0](hve-core-v1.1.0...hve-core-v2.0.0) (2026-01-28) ### ⚠ BREAKING CHANGES * **agents:** add Task Reviewer and expand RPI to 4-phase workflow ([#277](#277)) ### ✨ Features * **agents:** add hve-core-installer agent to extension package ([#297](#297)) ([c0e48c6](c0e48c6)) * **agents:** add Task Reviewer and expand RPI to 4-phase workflow ([#277](#277)) ([ae76cab](ae76cab)) * **build:** add code coverage reporting to Pester workflow ([#230](#230)) ([a34822a](a34822a)) * **docs:** add GOVERNANCE.md for OSSF Silver Badge compliance ([#235](#235)) ([b0e752c](b0e752c)) * **docs:** add ROADMAP.md for OSSF Silver badge compliance ([#238](#238)) ([4a41c16](4a41c16)) * **mcp:** add MCP server configuration guidance and installer enhancements ([#225](#225)) ([0bce418](0bce418)) * **scripts:** add YAML linting with actionlint ([#234](#234)) ([d9301f9](d9301f9)) * **security:** add OpenSSF Scorecard workflow and badge ([#271](#271)) ([7c6d788](7c6d788)) * **skills:** add video-to-gif conversion skill with FFmpeg two-pass optimization ([#247](#247)) ([8d65c42](8d65c42)) * **tests:** add Pester tests for LintingHelpers and Validate-MarkdownFrontmatter ([#197](#197), [#198](#198)) ([#205](#205)) ([51ae563](51ae563)) ### 🐛 Bug Fixes * **build:** detect table formatting changes via git diff ([#261](#261)) ([985eee0](985eee0)) * **build:** disable MD024 lint rule in CHANGELOG for release-please ([#220](#220)) ([971df94](971df94)) * **build:** quote shell variables and group redirects in workflow files ([#299](#299)) ([3372509](3372509)) * **build:** resolve scorecard badge and workflow security issues ([#301](#301)) ([aeaed13](aeaed13)) * **extension:** remove frontmatter from README and exclude from markdown linting ([#223](#223)) ([4272529](4272529)) * **instructions:** quote applyTo glob pattern for YAML compatibility ([#216](#216)) ([085199c](085199c)) * **scripts:** add FooterExcludePaths parameter to frontmatter validation ([#334](#334)) ([64db98d](64db98d)) * **scripts:** add GHSA word and logs/ exclusion to cspell config ([#214](#214)) ([5c99b3f](5c99b3f)) * **scripts:** correct type assertions in Invoke-YamlLint.Tests.ps1 ([#332](#332)) ([af7050d](af7050d)) * **scripts:** eliminate false positives in dependency pinning npm pattern ([#273](#273)) ([ccbdfa3](ccbdfa3)) * **security:** add artifact attestation for signed releases ([#257](#257)) ([c52d6e2](c52d6e2)) * standardize markdown footers and complete frontmatter ([#217](#217)) ([b4e7556](b4e7556)) ### 📚 Documentation * add OpenSSF Best Practices Passing badge to README ([#239](#239)) ([91bc529](91bc529)) * **architecture:** add architecture documentation and value proposition ([#252](#252)) ([0e4b02f](0e4b02f)) * **contributing:** add testing requirements for OSSF compliance ([#254](#254)) ([4db1a18](4db1a18)) * **docs:** add enterprise status badges to README header ([#270](#270)) ([ccb68a4](ccb68a4)) * **security:** add security assurance case and threat model for OSSF Silver ([#259](#259)) ([a390e26](a390e26)) ### ♻️ Refactoring * **application:** wrap execution with try blocks, ensure proper … ([#296](#296)) ([35c4417](35c4417)) * **scripts:** extract frontmatter validation to testable module ([#293](#293)) ([4e8707e](4e8707e)) * **scripts:** extract pure functions for Pester testability ([#221](#221)) ([d40e742](d40e742)) ### 🔧 Maintenance * **deps-dev:** bump cspell from 9.4.0 to 9.6.0 in the npm-dependencies group ([#208](#208)) ([855914b](855914b)) * **deps-dev:** bump cspell from 9.6.0 to 9.6.1 in the npm-dependencies group ([#294](#294)) ([1e45ad6](1e45ad6)) * **deps:** bump actions/setup-node from 6.1.0 to 6.2.0 in the github-actions group ([#209](#209)) ([c4c69e2](c4c69e2)) * **deps:** bump the github-actions group with 4 updates ([#295](#295)) ([d8337b8](d8337b8)) * remove step-security/harden-runner from workflows ([#246](#246)) ([c5708d8](c5708d8)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: hve-core-release-please[bot] <254602402+hve-core-release-please[bot]@users.noreply.github.com>
This was referenced Jan 28, 2026
This was referenced Feb 6, 2026
This was referenced Feb 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add GitHub Artifact Attestations to the release workflow, enabling cryptographic signing of VSIX release artifacts using Sigstore. This satisfies the OSSF Best Practices
signed_releasescriterion by establishing verifiable build provenance.attest-and-uploadjob tomain.ymlthat downloads the VSIX artifact, attests it with Sigstore, and uploads it to the GitHub Releaseid-token: write,attestations: write,contents: write) for Sigstore integrationRelated Issue(s)
Related to OSSF Silver badge requirements for signed releases.
Type of Change
Select all that apply:
Code & Documentation:
Infrastructure & Configuration:
AI Artifacts:
prompt-builderagent and addressed all feedback.github/instructions/*.instructions.md).github/prompts/*.prompt.md).github/agents/*.agent.md)Other:
.ps1,.sh,.py)Sample Prompts (for AI Artifact Contributions)
N/A - This PR does not include AI artifact contributions.
Testing
npm run lint:mdandnpm run lint:frontmatter(passed)Checklist
Required Checks
AI Artifact Contributions
N/A
Required Automated Checks
The following validation commands must pass before merging:
npm run lint:mdnpm run spell-checknpm run lint:frontmatternpm run lint:md-linksnpm run lint:psSecurity Considerations
Additional Notes
The
attest-and-uploadjob runs only whenrelease_created == 'true', ensuring attestation occurs only for actual releases. Actions use SHA pinning per repository conventions:actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16(v4.1.8)actions/attest-build-provenance@c074443f1aee8d4aeeae555aebba3282517141b2(v2.2.3)🔒 - Generated by Copilot