[Feature Request]: Make Github releases Immutable #1282
Description
Checklist
- I am using an up-to-date version.
- I have read the documentation.
- I have searched existing issues.
Description
It's a recent safety feature offered by Github to reduce the attack-surface on the supply-chain.
In simpliers terms:
Once Immutable releases are enabled, every new releases and their associated tag will be marked as "Immutable". Assets uploaded in a immutable release cannot be replaced or removed, thus ensuring that once a release is made, the files cannot be altered. You will still be able to edit the actual release text or to delete the whole release, but not modifying the released assets. Draft of releases are not immutable.
You can learn more here : https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases
Solution
Immutable releases is a checkbox you can find directly by going into the Settings section of this repo.
You will need to upload release assets as a draft so that if the workflow fails, you are not stuck with missing or corrupted files.
However, immutable releases still creates a small gap where assets can be replaced during the draft state. This is why, during the build workflow, you should also create a single attestation for all of the files that have been built. For more information, see this guide. This way users will be able to compare the SHA256 hash of the files in the attestation to the release assets SHA256.
Alternatives
No response