Is your feature request related to a problem? Please describe.
When installing ggshield from GitHub Releases, there's no way to cryptographically verify that a binary was built from the expected source commit by the official CI pipeline.
Tool managers like mise (via the aqua backend) can automatically verify GitHub Artifact Attestations at install time. Without attestations on ggshield releases, this verification is a no-op.
Describe the solution you'd like
Enable GitHub Artifact Attestations on all release assets. This generates signed SLSA provenance (Sigstore/Fulcio-backed) for each artifact. The workflow change is minimal:
- Add id-token: write and attestations: write permissions to the release job.
- Call actions/attest-build-provenance after building each artifact.
Users can then verify with:
gh attestation verify ggshield-1.49.0-x86_64-unknown-linux-gnu.tar.gz --repo GitGuardian/ggshield
And tool managers like mise/aqua will verify automatically at install time.
Describe alternatives you've considered
None
Is your feature request related to a problem? Please describe.
When installing ggshield from GitHub Releases, there's no way to cryptographically verify that a binary was built from the expected source commit by the official CI pipeline.
Tool managers like mise (via the aqua backend) can automatically verify GitHub Artifact Attestations at install time. Without attestations on ggshield releases, this verification is a no-op.
Describe the solution you'd like
Enable GitHub Artifact Attestations on all release assets. This generates signed SLSA provenance (Sigstore/Fulcio-backed) for each artifact. The workflow change is minimal:
Users can then verify with:
And tool managers like mise/aqua will verify automatically at install time.
Describe alternatives you've considered
None