Allison reports on GitHub’s rollout of immutable releases in public preview, highlighting new supply chain security measures, tag and asset protection, and cryptographic attestations for artifact verification.

GitHub Releases Introduce Immutability for Enhanced Supply Chain Security

GitHub has announced that releases now support immutability in public preview, marking a significant advancement in supply chain security for developers and organizations.

Key Features of Immutable Releases

Immutable Assets: Once a release is published as immutable, its assets cannot be added, altered, or removed. This safeguards distributed artifacts from supply chain tampering.
Tag Protection: Tags associated with new immutable releases are locked down and cannot be deleted or changed, reinforcing the trustworthiness of software versions.
Release Attestations: Every immutable release is accompanied by a signed attestation, enabling users and automated systems to verify authenticity and integrity even outside GitHub.

How to Enable Immutable Releases

Enable at either the repository or organization level within your GitHub settings.
Once enabled, all new releases are immutable by default. Existing releases remain mutable unless republished.
If immutability is later disabled, any releases made during the enabled period remain immutable and protected.

Verifying Releases and Assets

Release attestations are based on the Sigstore bundle format, supporting integration with Sigstore-compatible tools and policy automation in CI/CD pipelines.
Developers can use the GitHub CLI to check the validity of releases and assets:
```
gh release verify <tag>
gh release verify-asset <tag> <asset>
```

Additional Resources

Note: Immutable releases are being gradually deployed across all repositories and organizations.

This post appeared first on “The GitHub Blog”. Read the entire article here