upstream/borgbackup
1
0
Fork 0
mirror of https://github.com/borgbackup/borg.git synced 2026-04-22 06:37:33 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

CI: add GitHub artifact attestations for release binaries (fixes #9134)

Browse source 
- grant id-token and attestations permissions to posix_tests job
- add actions/attest-build-provenance@v1 step for built artifacts

This publishes SLSA-style provenance for our tag builds (only when binaries
are produced) so users can verify the origin of downloaded borg binaries.
This commit is contained in:
Thomas Waldmann 2025-11-02 16:33:49 +01:00
parent b9508a8f55
commit a5c8aed7cf
No known key found for this signature in database
GPG key ID: 243ACFA951F78E01
2 changed files with 28 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
.github/workflows/ci.yml vendored
View file

@ -62,6 +62,10 @@ jobs:
posix_tests:
needs: [lint, security]
permissions:
contents: read
id-token: write
attestations: write
strategy:
fail-fast: true
# noinspection YAMLSchemaValidation
@ -268,6 +272,12 @@ jobs:
echo "binary files"
ls -l artifacts/
- name: Attest binaries provenance (${{ matrix.binary }})
if: ${{ matrix.binary && steps.detect_tag.outputs.tagged }}
uses: actions/attest-build-provenance@v3
with:
subject-path: 'artifacts/*'
- name: Upload binaries (${{ matrix.binary }})
if: ${{ matrix.binary && steps.detect_tag.outputs.tagged }}
uses: actions/upload-artifact@v4

18
docs/binaries/00_README.txt
View file

@ -68,6 +68,24 @@ GPG key fingerprint: 6D5B EF9A DD20 7580 5747 B70F 9F88 FB52 FAF7 B393
My fingerprint is also in the footer of all my BorgBackup mailing list posts.
Provenance attestations for GitHub-built binaries
-------------------------------------------------
For binaries built on GitHub (files with a "-gh" suffix in the name), we publish
an artifact provenance attestation that proves the binary was built by our
GitHub Actions workflow from a specific commit or tag. You can verify this using
the GitHub CLI (gh). Install it from https://cli.github.com/ and make sure you
use a recent version that supports "gh attestation".
Practical example (Linux, 2.0.0b20 tag):
curl -LO https://github.com/borgbackup/borg/releases/download/2.0.0b20/borg-linux-glibc235-x86_64-gh
gh attestation verify --repo borgbackup/borg --ref 2.0.0b20 ./borg-linux-glibc235-x86_64-gh
If verification succeeds, gh prints a summary stating the subject (your file),
that it was attested by GitHub Actions, and the job/workflow reference.
Installing
----------