feat: add attestation to installer

[SMillerDev]

• Have you followed the guidelines in our Contributing document?
• Have you checked to ensure there aren't other open Pull Requests for the same change?
• Have you added an explanation of what your changes do and why you'd like us to include them?
• Have you written new tests for your changes? Here's an example.
• Have you successfully run brew style with your changes locally?
• Have you successfully run brew typecheck with your changes locally?
• Have you successfully run brew tests with your changes locally?

---

We have one more artifact that's compiled by us that we can add attestation for.

[SMillerDev]

Actually, we do docker too. Not sure if that can have attestation?

[woodruffw]

Actually, we do docker too. Not sure if that can have attestation?

Like a docker image? I believe those can have attestations as well (anything that's an OCI blob can), although I haven't played with that part of GH attestations as much.

[woodruffw]

LGTM, thanks @SMillerDev! IMO docs on brew.sh for verifying this would be nice, although arguably most users won't have gh to verify it with until after they install brew...

[github-actions]

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[SMillerDev]

I changed the docker attestation to only run on tags. It might be good to make it continue on errors.

[MikeMcQuaid]

I changed the docker attestation to only run on tags.

I think it'd be good to always attest, partly because I'm not sure I understand why it would fail without and partly to ensure this PR passes before merging 😁

It might be good to make it continue on errors.

I'd rather we didn't add this functionality if we think it's likely to fail.

[SMillerDev]

I think it'd be good to always attest, partly because I'm not sure I understand why it would fail without and partly to ensure this PR passes before merging 😁

It's an annoying docker thing. The attestation uses the package digest. But there is no package digest before it's uploaded somewhere. And we don't upload without a tag.

So there are two solutions to this:

• We always upload the containers
• We only do attestation on tags

I'd rather we didn't add this functionality if we think it's likely to fail.

Not particularly. I just have no way to test it.

[MikeMcQuaid]

And we don't upload without a tag.

Do we (n)ever upload the master Docker image? I thought we did but maybe I'm wrong.

• We only do attestation on tags

This seems reasonable, I'm just concerned (kinda like .pkg generation) it breaks on the tag and we don't notice.

At least if it's continue-on-error this would be mitigated so I'm 👍🏻 on that if you're 👍🏻 to keep an eye on next few tags.

[SMillerDev]

Do we (n)ever upload the master Docker image? I thought we did but maybe I'm wrong.

We don't, it surprised me a bit too.

This seems reasonable, I'm just concerned (kinda like .pkg generation) it breaks on the tag and we don't notice.

Yeah, I share your concern there. I'm fine having a look on tags, or changing it to upload for protected branches too.

[MikeMcQuaid]

Do we (n)ever upload the master Docker image? I thought we did but maybe I'm wrong.

We don't, it surprised me a bit too.

Just checked: we do. It's just in tests.yml, confusingly? Should probably move this to docker.yml instead.

[SMillerDev]

Yeah, we can attest those to try and then expand it after.

[MikeMcQuaid]

Makes sense, thanks! Some tiny naming tweaks then good to 🚢 and keep an eye on this.