From fb13cb306901256ace3dab689990e13a5550ffaa Mon Sep 17 00:00:00 2001 From: Sviatoslav Sydorenko Date: Wed, 30 Oct 2024 02:20:55 +0100 Subject: [PATCH] =?UTF-8?q?=F0=9F=93=9D=20Reflect=20the=20PR=20#277=20chan?= =?UTF-8?q?ges=20in=20README?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This makes minimum modifications to indicate that `attestations` is not on by default. --- README.md | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index c0998c5..9246fd9 100644 --- a/README.md +++ b/README.md @@ -111,16 +111,17 @@ filter to the job: > Generating and uploading digital attestations currently requires > authentication with a [trusted publisher]. -You can generate signed [digital attestations] for all the distribution files and -upload them all together by enabling the `attestations` setting: +Generating signed [digital attestations] for all the distribution files +and uploading them all together is now on by default for all projects +using Trusted Publishing. To disable it, set `attestations` as follows: ```yml with: - attestations: true + attestations: false ``` -This will use [Sigstore] to create attestation -objects for each distribution package, signing them with the identity provided +The attestation objects are created using [Sigstore] for each +distribution package, signing them with the identity provided by the GitHub's OIDC token associated with the current workflow. This means both the trusted publishing authentication and the attestations are tied to the same identity.