The recommended way to do this is via artifact attestation:
replyhttps://docs.github.com/en/actions/how-tos/secure-your-work/...
Thanks that's interesting. The docs are aimed at developers, but I'm curious about the use case for the end user.
replySo would a user have to do some kind of `gh attestation verify PATH/TO/YOUR/BUILD/ARTIFACT-BINARY ...`? (assuming the plugin dev provides an sbom?)
In the near term artifact attestation will be visible to users in the directory, and part of the overall scorecard of a plugin.
reply