{{ message }}
Add NuGet package attestations using GitHub provenance#3119
Merged
Conversation
Copilot
AI
changed the title
[WIP] Add NuGet attestations for the NuGet package
Add NuGet package attestations using GitHub provenance
Nov 6, 2025
Pull Request Test Coverage Report for Build 19192192660Details
💛 - Coveralls |
Qodana for .NETIt seems all right 👌 No new problems were found according to the checks applied 💡 Qodana analysis was run in the pull request mode: only the changed files were checked Contact Qodana teamContact us at qodana-support@jetbrains.com
|
66b076d to
34b4022
Compare
dennisdoomen
approved these changes
Nov 8, 2025
jnyrup
reviewed
Nov 8, 2025
jnyrup
left a comment
Member
There was a problem hiding this comment.
I've got no experience with attestation but it seems like a good thing to do.
What triggered you to enable this?
I only read this blog post so far.
https://andrewlock.net/creating-provenance-attestations-for-nuget-packages-in-github-actions/
Member
Co-authored-by: dennisdoomen <572734+dennisdoomen@users.noreply.github.com>
34b4022 to
518a9fc
Compare
jnyrup
approved these changes
Nov 8, 2025
This was referenced Mar 16, 2026
This was referenced Jun 29, 2026
Open
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.

Closes #[issue_number]
Adds cryptographically signed provenance attestations to NuGet packages on release, enabling consumers to verify package authenticity and build integrity.
Changes
id-token: writeandattestations: writeto build job for OIDC and attestation generation.nupkgexistence before attestation (tag pushes only)actions/attest-build-provenance@v2for all packages inArtifacts/Attestations are created after package build and before upload, only on tag pushes when packages exist.
Original prompt
✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.