alt Hacker NewsThis is where attestation/sigstore comes into play. Github has a first-party action for it and I wish more projects would use it. Regarding javascript specifically, I believe npm has builtin support for sigstore.
* https://docs.github.com/en/actions/concepts/security/artifac...