Skip to content

ci(release): add SLSA provenance, SBOM, cosign signatures, sha256 sidecars#452

Merged
grandizzy merged 1 commit intomainfrom
ci/release-attestations
May 4, 2026
Merged

ci(release): add SLSA provenance, SBOM, cosign signatures, sha256 sidecars#452
grandizzy merged 1 commit intomainfrom
ci/release-attestations

Conversation

@grandizzy
Copy link
Copy Markdown
Contributor

@grandizzy grandizzy commented May 4, 2026

  • build.yml: --locked, per-binary .sha256, SPDX SBOM via syft,
    SLSA v1 + SBOM attestations via actions/attest, cosign keyless
    sign-blob bundle (.sigstore.json) per binary, all sidecars
    shipped to GitHub Releases and cli.tempo.xyz
  • tempo-sign: skip .sha256 in SKIP_EXTENSIONS so sidecars don't
    pollute manifest.json
  • SECURITY.md: command-focused verification recipes for both
    GitHub Releases and cli.tempo.xyz (R2)
  • README.md: link Security section to verification recipes

@grandizzy @ampcode-com
ci(release): add SLSA provenance, SBOM, cosign signatures, sha256 sid…
79f6f5e 
…ecars

- build.yml: --locked, per-binary .sha256, SPDX SBOM via syft,
  SLSA v1 + SBOM attestations via actions/attest, cosign keyless
  sign-blob bundle (.sigstore.json) per binary, all sidecars
  shipped to GitHub Releases and cli.tempo.xyz
- tempo-sign: skip .sha256 in SKIP_EXTENSIONS so sidecars don't
  pollute manifest.json
- SECURITY.md: command-focused verification recipes for both
  GitHub Releases and cli.tempo.xyz (R2)
- README.md: link Security section to verification recipes

Amp-Thread-ID: https://ampcode.com/threads/T-019df2bd-846d-76fb-86a0-50154ad8e243
Co-authored-by: Amp <amp@ampcode.com>
@grandizzy grandizzy self-assigned this May 4, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 4, 2026

⚠️ Changelog not found.

A changelog entry is required before merging.

Add changelog

@grandizzy grandizzy marked this pull request as ready for review May 4, 2026 12:08
@grandizzy grandizzy requested review from Slokh and brendanjryan May 4, 2026 12:08
@brendanjryan
Copy link
Copy Markdown
Collaborator

brendanjryan commented May 4, 2026

LGTM!

@grandizzy grandizzy merged commit 03998da into main May 4, 2026
14 checks passed
@grandizzy grandizzy deleted the ci/release-attestations branch May 4, 2026 16:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@brendanjryan brendanjryan brendanjryan approved these changes

@Slokh Slokh Awaiting requested review from Slokh

Assignees

@grandizzy grandizzy

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@grandizzy @brendanjryan