Immutable releases and Build attestation for GitHub packagesΒ #10
Description
Please consider enabling immutable releases: https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases
Please consider attesting SBOM & Build artefacts published to GitHub packages via Actions: https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations
An example from one of the projects I co-maintain: https://github.com/celzero/firestack/blob/32c8d7882de7a56ff8eda026bf7be596bcb87acc/.github/workflows/go.yml#L317-L373