←back to thread

Immutable releases are now generally available on GitHub

(github.blog)
151 points fastest963 | 1 comments | 31 Oct 25 13:59 UTC | HN request time: 0s | source
Show context
shpx ◴[31 Oct 25 16:06 UTC] No.45773643[source]
Would've made more sense to add a grey "Edited" to edited releases. Releases are not actually immutable, GitHub could change them. I don't know why you need to use sciency words to say "editing disabled".
replies(1): >>45774011 #
1. NoahZuniga ◴[31 Oct 25 16:42 UTC] No.45774011[source]
They are immutable! The releases are signed with an attestation from a trusted third party that Github can't forge! Also these attestations are public and anyone can verify that the signing third party isn't misbehaving.

> Release attestations let you verify that an artifact is authentic and unchanged, even outside GitHub. Attestations use the Sigstore bundle format, so you can easily verify releases and assets using the GitHub CLI or integrate with any Sigstore-compatible tooling to automate policy enforcement in your CI/CD pipelines. For instructions on how to verify the integrity of a release, see our docs on verifying the integrity of a release.

They are using Sigstore, which is pretty standard in this space.