I can finally talk about what we've been working on for the past two years(!)
Using #sigstore, GitHub now supports artifact signing, which allows you to create unforgeable provenance guarantees for any software you build inside Actions.
It's been a heck of a ride, & you can read more about (and learn how to use it) here:
I think I should write a bit about the "rapid" adoption of sigstore and the possible problem domains we might have in the future.
It's not like this boding very well for things like Reproducible Builds if we expect a OIDC issuer to continue living for a reasonable amount of years under the same domain.. with the same version... key rotation and... and...
It makes me so happy to see #sigstore mentioned at #pycon! There's still a long road to make this as easy as verifying when doing a pip install foo, but this is great progress. 🙌