You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add signing and checksums to release artifacts so users can verify downloads came from this repo unmodified. Supports Deliverable 2's provenance goals and aligns with our own supply-chain guidance.
Changes to build-ide-bundles.yml
Sign release ZIPs with cosign (keyless via GitHub OIDC — no keys to manage)
Publish SHA256SUMS alongside ZIPs
Pin GitHub Actions to commit SHAs instead of version tags
Remove --clobber from gh release upload (makes published assets immutable)
Add signing and checksums to release artifacts so users can verify downloads came from this repo unmodified. Supports Deliverable 2's provenance goals and aligns with our own supply-chain guidance.
Changes to
build-ide-bundles.ymlSHA256SUMSalongside ZIPs--clobberfromgh release upload(makes published assets immutable)