Skip to content

Add build attestation for the library #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 1, 2025
Merged

Add build attestation for the library #44

merged 2 commits into from
Jul 1, 2025

Conversation

Copy link
Contributor

Copilot AI commented Jul 1, 2025
edited
Loading

This PR implements build attestation for the DendroDocs.Shared library using GitHub's actions/attest-build-provenance action, providing cryptographic proof of build integrity and supply chain security.

Changes Made

GitHub Actions Workflow (continuous.yml)

  • Added required permissions for attestation:
    • id-token: write - for OIDC token generation
    • attestations: write - for writing attestations
    • contents: read - for repository access
  • Added attestation step positioned after build completion but before artifact upload
  • Configured attestation to cover both main packages (.nupkg) and symbol packages (.snupkg)

Documentation (README.md)

  • Added "Security & Build Attestation" section explaining the security benefits
  • Documented how attestations provide verifiable provenance and artifact integrity

Security Benefits

The attestation provides:

  • Verifiable Provenance: Cryptographic proof of the exact repository, commit, and workflow that built each artifact
  • Integrity Assurance: Signatures ensuring packages haven't been tampered with
  • Supply Chain Security: Protection against malicious package injection by proving official build lineage

Technical Implementation

- name: 'Attest: Build Provenance'
  uses: actions/attest-build-provenance@v1
  with:
    subject-path: 'Artifacts/*.nupkg,Artifacts/*.snupkg'

The attestation step runs after the build completes (Run: Push) but before artifacts are uploaded (Publish: Artifacts), ensuring all generated packages receive attestation.

Validation

  • ✅ YAML syntax validated
  • ✅ Correct step ordering maintained
  • ✅ All artifact types covered (both .nupkg and .snupkg files)
  • ✅ Required permissions properly configured

Users consuming the DendroDocs.Shared library can now verify that packages came from the official build pipeline and haven't been compromised.

Fixes #43.

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@eNeRGy164 eNeRGy164 added the workflow Changes related to the project's pipeline, automation, or CI/CD workflows. label Jul 1, 2025
@eNeRGy164
Add build attestation to CI pipeline
8909387 
Co-authored-by: eNeRGy164 <10671831+eNeRGy164@users.noreply.github.com>
Copilot AI changed the title [WIP] Add attestation for the library Add build attestation for the library Jul 1, 2025
Copilot AI requested a review from eNeRGy164 July 1, 2025 07:57
Copilot finished work on behalf of eNeRGy164 July 1, 2025 07:57
@eNeRGy164 eNeRGy164 marked this pull request as ready for review July 1, 2025 08:04
Copilot AI review requested due to automatic review settings July 1, 2025 08:04
Copilot AI reviewed Jul 1, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR integrates build attestation for the DendroDocs.Shared library, ensuring that artifacts carry verifiable provenance information and integrity assurances.

  • Added a "Security & Build Attestation" section in the README to document the feature.
  • Updated the GitHub Actions workflow to include the necessary permissions and the attestation step (using actions/attest-build-provenance@v1) before artifact publication.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
README.md Added documentation on build attestation and its security benefits
.github/workflows/continuous.yml Inserted permissions updates and an attestation step into the workflow

@coveralls
Copy link

coveralls commented Jul 1, 2025
edited
Loading

Pull Request Test Coverage Report for Build 15993307517

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 96.104%
Totals Coverage Status
Change from base Build 15905063830: 0.0%
Covered Lines: 567
Relevant Lines: 572
💛 - Coveralls

@eNeRGy164 eNeRGy164 merged commit 377e733 into main Jul 1, 2025
3 checks passed
@eNeRGy164 eNeRGy164 deleted the copilot/fix-43 branch July 1, 2025 08:12
@dependabot dependabot bot mentioned this pull request Jul 28, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

+1 more reviewer

@eNeRGy164 eNeRGy164 eNeRGy164 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@eNeRGy164 eNeRGy164

Copilot code review Copilot

Labels

workflow Changes related to the project's pipeline, automation, or CI/CD workflows.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add attestation for the library

3 participants

@coveralls @eNeRGy164