Skip to content

ci(scorecard): signed releases (Sigstore provenance) + pin fuzz-build deps#62

Merged
askalf merged 2 commits into
masterfrom
scorecard-signed-and-pinned
Jul 11, 2026
Merged

ci(scorecard): signed releases (Sigstore provenance) + pin fuzz-build deps#62
askalf merged 2 commits into
masterfrom
scorecard-signed-and-pinned

Conversation

@askalf

@askalf askalf commented Jul 11, 2026

Copy link
Copy Markdown
Owner

Ports redstamp's Scorecard hardening (askalf/redstamp#65 + askalf/redstamp#66) to this repo.

Signed-Releases (currently N/A — releases carry no assets, so the check doesn't run): auto-release now attaches the npm pack tarball and its keyless Sigstore provenance bundle (<tarball>.sigstore.json, signed via GitHub OIDC by hash-pinned actions/attest-build-provenance v4.1.1) to every release. Verify with gh attestation verify <tarball> --owner askalf. Takes effect on the next version bump. The slsa-github-generator route was deliberately skipped: it can only be referenced by tag, which would hand Pinned-Dependencies a permanent unpinned-action warn.

Pinned-Dependencies (clears both open warns):

  • .clusterfuzzlite/Dockerfile — base image pinned by digest (the digest Scorecard itself recommends; same pin redstamp uses).
  • .clusterfuzzlite/build.shnpm installnpm ci, so the fuzz build verifies every integrity hash in the committed lockfile. Jazzer is already a locked devDependency here; installed set is unchanged.

New job permissions: id-token: write + attestations: write; top-level stays contents: read.

@askalf
askalf merged commit 6611ce5 into master Jul 11, 2026
8 checks passed
@askalf
askalf deleted the scorecard-signed-and-pinned branch July 11, 2026 23:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant