From a0f4e3faaaba608b25b4f4dced8026ebeaa38f2b Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 7 Apr 2026 20:44:40 +0000 Subject: [PATCH 1/8] ci(deploy): attest build provenance for release binaries Use actions/attest-build-provenance to generate Sigstore-backed attestations for each released executable, so consumers can verify that the binaries on GitHub Releases were built by this workflow rather than uploaded manually. --- .github/workflows/deploy.yaml | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index 7b05ef20..f6d9118b 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -64,6 +64,11 @@ jobs: runs-on: ubuntu-latest + permissions: + contents: read + id-token: write + attestations: write + strategy: fail-fast: true matrix: @@ -90,6 +95,11 @@ jobs: - name: Strip all debug symbols run: strip --strip-all target/${{ matrix.target }}/release/pdu + - name: Attest build provenance + uses: actions/attest-build-provenance@v2 + with: + subject-path: target/${{ matrix.target }}/release/pdu + - name: Upload build artifact uses: actions/upload-artifact@v7 with: @@ -101,6 +111,11 @@ jobs: runs-on: macos-latest + permissions: + contents: read + id-token: write + attestations: write + strategy: fail-fast: true matrix: @@ -126,6 +141,11 @@ jobs: - name: Strip all debug symbols run: strip target/${{ matrix.target }}/release/pdu + - name: Attest build provenance + uses: actions/attest-build-provenance@v2 + with: + subject-path: target/${{ matrix.target }}/release/pdu + - name: Upload build artifact uses: actions/upload-artifact@v7 with: @@ -137,6 +157,11 @@ jobs: runs-on: windows-latest + permissions: + contents: read + id-token: write + attestations: write + strategy: fail-fast: true matrix: @@ -161,6 +186,11 @@ jobs: - name: Build run: cargo build --target ${{ matrix.target }} --release --all-features + - name: Attest build provenance + uses: actions/attest-build-provenance@v2 + with: + subject-path: target/${{ matrix.target }}/release/pdu.exe + - name: Upload build artifact uses: actions/upload-artifact@v7 with: From 3c7fc88514143e25b73416a2996fc9b3552fbd8b Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 7 Apr 2026 21:25:39 +0000 Subject: [PATCH 2/8] docs(readme): document build provenance attestations for release binaries Add a note to the GitHub install subsection and a new FAQ entry explaining that executables published to GitHub Releases starting from 0.22.1 are signed with Sigstore-backed build provenance attestations, along with the gh attestation verify command. --- README.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/README.md b/README.md index 5f7b0b59..2249bb03 100644 --- a/README.md +++ b/README.md @@ -146,6 +146,8 @@ Beware that the structure of the JSON tree differs depending on the number of fi Go to the [GitHub Release Page](https://github.com/KSXGitHub/parallel-disk-usage/releases) and download a binary. +Starting with version 0.22.1, every executable published to GitHub Releases ships with a build provenance attestation, so you can cryptographically verify that the binary was produced by this repository's deployment workflow rather than uploaded by hand. See [_How do I know the binaries on the GitHub Release page are genuine?_](#how-do-i-know-the-binaries-on-the-github-release-page-are-genuine) for the verification command. + #### From [crates.io](https://crates.io) **Prerequisites:** @@ -183,6 +185,21 @@ No. "Vibe coding" means letting AI do everything without human involvement. This Using AI also does not mean poor quality. On the contrary, AI reviews have helped detect previously undetected bugs. +### How do I know the binaries on the GitHub Release page are genuine? + +Starting with version 0.22.1, every executable published to [GitHub Releases](https://github.com/KSXGitHub/parallel-disk-usage/releases) is accompanied by a [build provenance attestation](https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations). The attestation is cryptographically signed by [Sigstore](https://www.sigstore.dev/) — a public-good signing service operated by the Linux Foundation — and records that the binary was built by this repository's GitHub Actions deployment workflow from a specific commit. Because the signing happens inside GitHub's infrastructure via OIDC and the signatures are logged to Sigstore's public transparency log, the guarantee does not depend on trusting the maintainer's personal word: any tampered or manually uploaded binary would fail verification. + +To verify a downloaded binary, install the [GitHub CLI](https://cli.github.com/) and run: + +```sh +gh attestation verify pdu-x86_64-unknown-linux-gnu \ + --repo KSXGitHub/parallel-disk-usage +``` + +(Replace `pdu-x86_64-unknown-linux-gnu` with the filename you downloaded.) A successful run prints the signer workflow and confirms that the file's SHA-256 matches the attested digest. All attestations for this repository can also be browsed at the [Attestations page](https://github.com/KSXGitHub/parallel-disk-usage/attestations). + +Binaries from releases older than 0.22.1 are not attested. + ## Similar programs * **CLI:** From c0c234429b99e49e17caf0b1a9ee4d5a73427ad1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kh=E1=BA=A3i?= Date: Wed, 8 Apr 2026 04:34:59 +0700 Subject: [PATCH 3/8] docs(readme): improve MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Co-authored-by: Khải --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 2249bb03..22583b87 100644 --- a/README.md +++ b/README.md @@ -192,11 +192,10 @@ Starting with version 0.22.1, every executable published to [GitHub Releases](ht To verify a downloaded binary, install the [GitHub CLI](https://cli.github.com/) and run: ```sh -gh attestation verify pdu-x86_64-unknown-linux-gnu \ - --repo KSXGitHub/parallel-disk-usage +gh attestation verify downloaded-pdu --repo KSXGitHub/parallel-disk-usage ``` -(Replace `pdu-x86_64-unknown-linux-gnu` with the filename you downloaded.) A successful run prints the signer workflow and confirms that the file's SHA-256 matches the attested digest. All attestations for this repository can also be browsed at the [Attestations page](https://github.com/KSXGitHub/parallel-disk-usage/attestations). +(Replace `downloaded-pdu` with the filename you downloaded.) A successful run prints the signer workflow and confirms that the file's SHA-256 matches the attested digest. All attestations for this repository can also be browsed at the [Attestations page](https://github.com/KSXGitHub/parallel-disk-usage/attestations). Binaries from releases older than 0.22.1 are not attested. From 180b1b91e8b4633068b4a7400d4277c6cabde095 Mon Sep 17 00:00:00 2001 From: khai96_ Date: Wed, 8 Apr 2026 04:45:25 +0700 Subject: [PATCH 4/8] docs(readme): improve the question --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 22583b87..1a3a8ea6 100644 --- a/README.md +++ b/README.md @@ -146,7 +146,7 @@ Beware that the structure of the JSON tree differs depending on the number of fi Go to the [GitHub Release Page](https://github.com/KSXGitHub/parallel-disk-usage/releases) and download a binary. -Starting with version 0.22.1, every executable published to GitHub Releases ships with a build provenance attestation, so you can cryptographically verify that the binary was produced by this repository's deployment workflow rather than uploaded by hand. See [_How do I know the binaries on the GitHub Release page are genuine?_](#how-do-i-know-the-binaries-on-the-github-release-page-are-genuine) for the verification command. +Starting with version 0.22.1, every executable published to GitHub Releases ships with a build provenance attestation, so you can cryptographically verify that the binary was produced by this repository's deployment workflow rather than uploaded by hand. See [_How can I trust the release binaries?_](#how-can-i-trust-the-release-binaries) for the verification command. #### From [crates.io](https://crates.io) @@ -185,7 +185,7 @@ No. "Vibe coding" means letting AI do everything without human involvement. This Using AI also does not mean poor quality. On the contrary, AI reviews have helped detect previously undetected bugs. -### How do I know the binaries on the GitHub Release page are genuine? +### How can I trust the release binaries? Starting with version 0.22.1, every executable published to [GitHub Releases](https://github.com/KSXGitHub/parallel-disk-usage/releases) is accompanied by a [build provenance attestation](https://docs.github.com/en/actions/how-tos/secure-your-work/use-artifact-attestations/use-artifact-attestations). The attestation is cryptographically signed by [Sigstore](https://www.sigstore.dev/) — a public-good signing service operated by the Linux Foundation — and records that the binary was built by this repository's GitHub Actions deployment workflow from a specific commit. Because the signing happens inside GitHub's infrastructure via OIDC and the signatures are logged to Sigstore's public transparency log, the guarantee does not depend on trusting the maintainer's personal word: any tampered or manually uploaded binary would fail verification. From 27ac8ac0b84c429f1cb94c7e2f9fd9c8c96bda12 Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 7 Apr 2026 21:57:54 +0000 Subject: [PATCH 5/8] ci(deploy): attest shell completions, man page, and checksums Extend build provenance attestations to the non-binary release assets. Shell completion files are sourced by the user's shell on tab completion, so a tampered completion file could execute arbitrary code; attesting them closes that gap. Checksum files are attested so that consumers who rely on sha*sum.txt can likewise verify it was produced by this workflow rather than swapped post-release. --- .github/workflows/deploy.yaml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index f6d9118b..ae9c92bf 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -248,9 +248,25 @@ jobs: runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + attestations: write + steps: - uses: actions/checkout@v6 + - name: Attest build provenance + uses: actions/attest-build-provenance@v2 + with: + subject-path: | + ./exports/completion.bash + ./exports/completion.fish + ./exports/completion.zsh + ./exports/completion.ps1 + ./exports/completion.elv + ./exports/pdu.1 + - name: Upload Tab-Completion file for Bash uses: actions/upload-release-asset@v1.0.2 env: @@ -379,6 +395,11 @@ jobs: runs-on: ubuntu-latest + permissions: + contents: write + id-token: write + attestations: write + steps: - uses: actions/checkout@v6 @@ -393,6 +414,14 @@ jobs: - name: Create checksums run: ./ci/github-actions/create-checksums.sh + - name: Attest build provenance + uses: actions/attest-build-provenance@v2 + with: + subject-path: | + ./sha1sum.txt + ./sha256sum.txt + ./sha512sum.txt + - name: Upload as artifacts uses: actions/upload-artifact@v7 with: From c9a93deaeca367794d0386934724e215a93a513a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kh=E1=BA=A3i?= Date: Wed, 8 Apr 2026 09:23:18 +0700 Subject: [PATCH 6/8] docs(readme): change styles --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1a3a8ea6..e2b8efe3 100644 --- a/README.md +++ b/README.md @@ -146,7 +146,8 @@ Beware that the structure of the JSON tree differs depending on the number of fi Go to the [GitHub Release Page](https://github.com/KSXGitHub/parallel-disk-usage/releases) and download a binary. -Starting with version 0.22.1, every executable published to GitHub Releases ships with a build provenance attestation, so you can cryptographically verify that the binary was produced by this repository's deployment workflow rather than uploaded by hand. See [_How can I trust the release binaries?_](#how-can-i-trust-the-release-binaries) for the verification command. +> [!NOTE] +> Starting with version 0.22.1, every executable published to GitHub Releases ships with a build provenance attestation, so you can cryptographically verify that the binary was produced by this repository's deployment workflow rather than uploaded by hand. See [_How can I trust the release binaries?_](#how-can-i-trust-the-release-binaries) for the verification command. #### From [crates.io](https://crates.io) @@ -193,9 +194,10 @@ To verify a downloaded binary, install the [GitHub CLI](https://cli.github.com/) ```sh gh attestation verify downloaded-pdu --repo KSXGitHub/parallel-disk-usage +# note: replace `downloaded-pdu` with the filename you downloaded. ``` -(Replace `downloaded-pdu` with the filename you downloaded.) A successful run prints the signer workflow and confirms that the file's SHA-256 matches the attested digest. All attestations for this repository can also be browsed at the [Attestations page](https://github.com/KSXGitHub/parallel-disk-usage/attestations). +A successful run prints the signer workflow and confirms that the file's SHA-256 matches the attested digest. All attestations for this repository can also be browsed at the [Attestations page](https://github.com/KSXGitHub/parallel-disk-usage/attestations). Binaries from releases older than 0.22.1 are not attested. From 93d84ccd49d1b00a9849ce52dae837701f12ed7b Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 8 Apr 2026 03:23:49 +0000 Subject: [PATCH 7/8] ci(deploy): document why id-token: write is kept at job level MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Annotate the permissions blocks with the reason the job needs id-token: write (actions/attest-build-provenance obtains a Sigstore OIDC token). The build jobs also note that the narrower-blast-radius refactor — splitting attestation into a dedicated job — was considered and rejected as disproportionate. --- .github/workflows/deploy.yaml | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index ae9c92bf..b155fe28 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -66,6 +66,9 @@ jobs: permissions: contents: read + # Needed by actions/attest-build-provenance to request a Sigstore OIDC token. + # Kept at job level rather than split into a dedicated attest job — the + # narrower-blast-radius refactor was judged disproportionate here; see PR #387. id-token: write attestations: write @@ -113,6 +116,9 @@ jobs: permissions: contents: read + # Needed by actions/attest-build-provenance to request a Sigstore OIDC token. + # Kept at job level rather than split into a dedicated attest job — the + # narrower-blast-radius refactor was judged disproportionate here; see PR #387. id-token: write attestations: write @@ -159,6 +165,9 @@ jobs: permissions: contents: read + # Needed by actions/attest-build-provenance to request a Sigstore OIDC token. + # Kept at job level rather than split into a dedicated attest job — the + # narrower-blast-radius refactor was judged disproportionate here; see PR #387. id-token: write attestations: write @@ -250,6 +259,7 @@ jobs: permissions: contents: write + # Needed by actions/attest-build-provenance to request a Sigstore OIDC token. id-token: write attestations: write @@ -397,6 +407,7 @@ jobs: permissions: contents: write + # Needed by actions/attest-build-provenance to request a Sigstore OIDC token. id-token: write attestations: write From 694c9060c33a4e6fe3ebeacf47bfcb9f54d45f65 Mon Sep 17 00:00:00 2001 From: Claude Date: Wed, 8 Apr 2026 03:26:21 +0000 Subject: [PATCH 8/8] ci(deploy): shorten id-token: write comment --- .github/workflows/deploy.yaml | 21 +++++---------------- 1 file changed, 5 insertions(+), 16 deletions(-) diff --git a/.github/workflows/deploy.yaml b/.github/workflows/deploy.yaml index b155fe28..1f9b5b33 100644 --- a/.github/workflows/deploy.yaml +++ b/.github/workflows/deploy.yaml @@ -66,10 +66,7 @@ jobs: permissions: contents: read - # Needed by actions/attest-build-provenance to request a Sigstore OIDC token. - # Kept at job level rather than split into a dedicated attest job — the - # narrower-blast-radius refactor was judged disproportionate here; see PR #387. - id-token: write + id-token: write # needed for actions/attest-build-provenance attestations: write strategy: @@ -116,10 +113,7 @@ jobs: permissions: contents: read - # Needed by actions/attest-build-provenance to request a Sigstore OIDC token. - # Kept at job level rather than split into a dedicated attest job — the - # narrower-blast-radius refactor was judged disproportionate here; see PR #387. - id-token: write + id-token: write # needed for actions/attest-build-provenance attestations: write strategy: @@ -165,10 +159,7 @@ jobs: permissions: contents: read - # Needed by actions/attest-build-provenance to request a Sigstore OIDC token. - # Kept at job level rather than split into a dedicated attest job — the - # narrower-blast-radius refactor was judged disproportionate here; see PR #387. - id-token: write + id-token: write # needed for actions/attest-build-provenance attestations: write strategy: @@ -259,8 +250,7 @@ jobs: permissions: contents: write - # Needed by actions/attest-build-provenance to request a Sigstore OIDC token. - id-token: write + id-token: write # needed for actions/attest-build-provenance attestations: write steps: @@ -407,8 +397,7 @@ jobs: permissions: contents: write - # Needed by actions/attest-build-provenance to request a Sigstore OIDC token. - id-token: write + id-token: write # needed for actions/attest-build-provenance attestations: write steps: