Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

This is where attestation/sigstore comes into play. Github has a first-party action for it and I wish more projects would use it. Regarding javascript specifically, I believe npm has builtin support for sigstore.

* https://docs.github.com/en/actions/concepts/security/artifac...

* https://www.sigstore.dev/

* https://github.com/actions/attest



Consider applying for YC's Summer 2026 batch! Applications are open till May 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: