Immutable releases are now generally available on GitHub
6 months ago
- #SupplyChainSecurity
- #GitHub
- #ImmutableReleases
- GitHub releases now support immutability, enhancing supply chain security.
- Immutable releases protect assets and tags from tampering post-publication.
- Features include immutable assets, tag protection, and release attestations.
- Immutable assets cannot be added, modified, or deleted after publication.
- Tags for immutable releases are protected and cannot be deleted or moved.
- Release attestations allow verification of authenticity and integrity.
- Immutable releases can be enabled at repository or organization levels.
- Once enabled, all new releases are immutable; existing ones remain mutable unless republished.
- Disabling immutability does not affect previously created immutable releases.
- Attestations use Sigstore bundle format for verification via GitHub CLI or Sigstore-compatible tools.
- Feedback is encouraged via the GitHub Community.