Add NuGet package attestations using GitHub provenance by Copilot · Pull Request #3119 · fluentassertions/fluentassertions · GitHub
Skip to content

Add NuGet package attestations using GitHub provenance#3119

Merged
dennisdoomen merged 2 commits into
mainfrom
copilot/add-nuget-attestations
Nov 8, 2025
Merged

Add NuGet package attestations using GitHub provenance#3119
dennisdoomen merged 2 commits into
mainfrom
copilot/add-nuget-attestations

Conversation

Copilot AI commented Nov 6, 2025

Copy link
Copy Markdown
Contributor

Closes #[issue_number]

Adds cryptographically signed provenance attestations to NuGet packages on release, enabling consumers to verify package authenticity and build integrity.

Changes

  • Permissions: Added id-token: write and attestations: write to build job for OIDC and attestation generation
  • Pre-flight check: Verify .nupkg existence before attestation (tag pushes only)
  • Attestation step: Generate provenance using actions/attest-build-provenance@v2 for all packages in Artifacts/

Attestations are created after package build and before upload, only on tag pushes when packages exist.

Original prompt

Add nuget attestations for the nuget pakckage using github's provenance attestations


✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

Copilot AI self-assigned this Nov 6, 2025
Copilot AI changed the title [WIP] Add NuGet attestations for the NuGet package Add NuGet package attestations using GitHub provenance Nov 6, 2025
Copilot AI requested a review from dennisdoomen November 6, 2025 18:50
@github-actions

github-actions Bot commented Nov 6, 2025

Copy link
Copy Markdown

@coveralls

coveralls commented Nov 6, 2025

Copy link
Copy Markdown

Pull Request Test Coverage Report for Build 19192192660

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 97.154%

Totals Coverage Status
Change from base Build 18872999242: 0.0%
Covered Lines: 12826
Relevant Lines: 13046

💛 - Coveralls

@github-actions

github-actions Bot commented Nov 6, 2025

Copy link
Copy Markdown

Qodana for .NET

It seems all right 👌

No new problems were found according to the checks applied

💡 Qodana analysis was run in the pull request mode: only the changed files were checked
☁️ View the detailed Qodana report

Contact Qodana team

Contact us at qodana-support@jetbrains.com

@dennisdoomen dennisdoomen force-pushed the copilot/add-nuget-attestations branch from 66b076d to 34b4022 Compare November 8, 2025 07:29
@dennisdoomen dennisdoomen added the building Building and Infrastructure of Fluent Assertions label Nov 8, 2025
@dennisdoomen dennisdoomen requested a review from jnyrup November 8, 2025 07:29

@jnyrup jnyrup left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've got no experience with attestation but it seems like a good thing to do.
What triggered you to enable this?
I only read this blog post so far.
https://andrewlock.net/creating-provenance-attestations-for-nuget-packages-in-github-actions/

Comment thread .github/workflows/build.yml
@dennisdoomen

Copy link
Copy Markdown
Member

Co-authored-by: dennisdoomen <572734+dennisdoomen@users.noreply.github.com>
@dennisdoomen dennisdoomen force-pushed the copilot/add-nuget-attestations branch from 34b4022 to 518a9fc Compare November 8, 2025 11:07
@dennisdoomen dennisdoomen marked this pull request as ready for review November 8, 2025 11:07
This was referenced Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

building Building and Infrastructure of Fluent Assertions

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants