The Apache Software Foundation reviews every GitHub Action used by ASF projects via verify-action-build (apache/infrastructure-actions). For runs-on/action@v2.1.1 (apache/infrastructure-actions#809) the review hits a wall: the action ships ~10 MB of UPX-packed Go binaries directly in the repo, with no provenance material that downstream reviewers can verify against. There's no release asset, no checksum file, no GitHub attestation on the binary blob SHA, no SLSA provenance.
Two asks:
- Add
actions/attest-build-provenance to the release workflow so each binary gets a verifiable SLSA provenance attestation. Consumers can then run gh attestation verify main-linux-amd64 --owner runs-on as part of their review, instead of trusting that the binary in the repo matches main.go.
- Publish release assets (the platform binaries + a
SHA256SUMS file, ideally GPG-signed) so reviewers can cross-check the in-tree binaries against the released ones.
Either would substantially close the gap. Both is ideal.
Separately — heads-up on a small thing in Makefile:
# `make dist` is org-wide convention for re-building the distributed binaries before pushing a PR. Used by Claude skills.
.PHONY: dist
dist: build
git add main-linux-amd64 main-linux-arm64 main-windows-amd64.exe index.js post.js
git commit -m "dist: rebuild binaries"
That comment isn't accurate (there's no org-wide "Claude skills" convention, certainly not for committing built binaries on behalf of an agent), and on a target that auto-commits binaries it reads like a prompt-injection lure aimed at coding agents inspecting the repo. Worth either removing the comment or rewriting it to say plainly what the target does.
Happy to send PRs for either ask.
The Apache Software Foundation reviews every GitHub Action used by ASF projects via verify-action-build (apache/infrastructure-actions). For
runs-on/action@v2.1.1(apache/infrastructure-actions#809) the review hits a wall: the action ships ~10 MB of UPX-packed Go binaries directly in the repo, with no provenance material that downstream reviewers can verify against. There's no release asset, no checksum file, no GitHub attestation on the binary blob SHA, no SLSA provenance.Two asks:
actions/attest-build-provenanceto the release workflow so each binary gets a verifiable SLSA provenance attestation. Consumers can then rungh attestation verify main-linux-amd64 --owner runs-onas part of their review, instead of trusting that the binary in the repo matchesmain.go.SHA256SUMSfile, ideally GPG-signed) so reviewers can cross-check the in-tree binaries against the released ones.Either would substantially close the gap. Both is ideal.
Separately — heads-up on a small thing in
Makefile:That comment isn't accurate (there's no org-wide "Claude skills" convention, certainly not for committing built binaries on behalf of an agent), and on a target that auto-commits binaries it reads like a prompt-injection lure aimed at coding agents inspecting the repo. Worth either removing the comment or rewriting it to say plainly what the target does.
Happy to send PRs for either ask.