From 153bbd705cf2d0ff83b8c27aae6aac6ffb9126e4 Mon Sep 17 00:00:00 2001 From: Jeff Larson Date: Sun, 5 Jul 2026 01:44:50 -0700 Subject: [PATCH] ci: enable buildx SLSA provenance + SBOM attestations Co-Authored-By: Claude Opus 4.8 (1M context) Claude-Session: https://claude.ai/code/session_01VtjoJttCvBY4dzCoE4f9vP --- .github/workflows/ci.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 2833056..c0edc0c 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -155,8 +155,8 @@ jobs: # WAN transfer (see JEF-87 / measure in JEF-82). cache-from: type=gha cache-to: type=gha,mode=max - provenance: false - sbom: false + provenance: true + sbom: true - uses: sigstore/cosign-installer@v3 - name: Sign the image (keyless) # Sign by immutable digest, not tag. Keyless: GitHub's OIDC token is