diff --git a/content/actions/how-tos/create-and-publish-actions/manage-custom-actions.md b/content/actions/how-tos/create-and-publish-actions/manage-custom-actions.md index f8ed0adac7..416486f811 100644 --- a/content/actions/how-tos/create-and-publish-actions/manage-custom-actions.md +++ b/content/actions/how-tos/create-and-publish-actions/manage-custom-actions.md @@ -50,7 +50,7 @@ To use a specific action version, users can configure their {% data variables.pr ### Using tags for release management -{% ifversion immutable-releases-preview %} +{% ifversion fpt or ghec %} > [!NOTE] If you have enabled immutable releases to help prevent supply chain attacks and accidental changes to your releases, instead see [AUTOTITLE](/actions/how-tos/create-and-publish-actions/using-immutable-releases-and-tags-to-manage-your-actions-releases). {% endif %} diff --git a/content/actions/how-tos/create-and-publish-actions/release-and-maintain-actions.md b/content/actions/how-tos/create-and-publish-actions/release-and-maintain-actions.md index 737eb13256..b81034397a 100644 --- a/content/actions/how-tos/create-and-publish-actions/release-and-maintain-actions.md +++ b/content/actions/how-tos/create-and-publish-actions/release-and-maintain-actions.md @@ -55,7 +55,7 @@ To support the developer process in the next section, add two {% data variables. 1. Add a workflow that triggers when a commit is pushed to a feature branch or to `main` or when a pull request is created. Configure the workflow to run your unit and integration tests. For an example, see [this workflow](https://github.com/actions/javascript-action/blob/main/.github/workflows/ci.yml). 1. Add a workflow that triggers when a release is published or edited. Configure the workflow to ensure semantic tags are in place. You can use an action like [JasonEtco/build-and-tag-action](https://github.com/JasonEtco/build-and-tag-action) to compile and bundle the JavaScript and metadata file and force push semantic major, minor, and patch tags. For more information about semantic tags, see [About semantic versioning](https://docs.npmjs.com/about-semantic-versioning). - {% ifversion immutable-releases-preview %} + {% ifversion fpt or ghec %} > [!NOTE] > If you enable immutable releases for your repository, you cannot use this action to force push tags tied to releases on {% data variables.product.github %}. To learn how to manage your releases with immutable releases, see [AUTOTITLE](/actions/how-tos/create-and-publish-actions/using-immutable-releases-and-tags-to-manage-your-actions-releases). {% endif %} diff --git a/content/actions/how-tos/create-and-publish-actions/using-immutable-releases-and-tags-to-manage-your-actions-releases.md b/content/actions/how-tos/create-and-publish-actions/using-immutable-releases-and-tags-to-manage-your-actions-releases.md index b613aed2d4..855600505a 100644 --- a/content/actions/how-tos/create-and-publish-actions/using-immutable-releases-and-tags-to-manage-your-actions-releases.md +++ b/content/actions/how-tos/create-and-publish-actions/using-immutable-releases-and-tags-to-manage-your-actions-releases.md @@ -3,7 +3,8 @@ title: Using immutable releases and tags to manage your action's releases shortTitle: Use immutable releases intro: 'Learn how you can use a combination of immutable releases on {% data variables.product.github %} and Git tags to manage your action''s releases.' versions: - feature: immutable-releases-preview + fpt: '*' + ghec: '*' topics: - Actions - Code Security @@ -11,8 +12,6 @@ topics: - Dependencies --- -{% data reusables.releases.immutable-releases-preview-note %} - If you enable immutable releases on your action's repository, you can manage your action's releases as follows: 1. To start the release cycle, develop and validate a potential release for your action on a release branch. diff --git a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds.md b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds.md index 7415cbdd0f..2c83c9acb4 100644 --- a/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds.md +++ b/content/code-security/supply-chain-security/end-to-end-supply-chain/securing-builds.md @@ -59,7 +59,7 @@ How exactly you sign your build will depend on what sort of code you're writing, For more information, see [AUTOTITLE](/actions/security-guides/encrypted-secrets){% ifversion fpt or ghec %}, [AUTOTITLE](/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect),{% endif %} and [AUTOTITLE](/actions/hosting-your-own-runners/managing-self-hosted-runners/about-self-hosted-runners). -{% ifversion immutable-releases-preview %} +{% ifversion fpt or ghec %} ## Use immutable releases diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases.md index e0c5a5c255..9237a2f5bf 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases.md @@ -2,7 +2,8 @@ title: Immutable releases intro: 'Learn about immutable releases and how they can help you maintain the integrity of your software supply chain.' versions: - feature: immutable-releases-preview + fpt: '*' + ghec: '*' type: overview topics: - Code Security @@ -10,16 +11,34 @@ topics: - Dependencies --- -{% data reusables.releases.immutable-releases-preview-note %} +**Immutable releases** are releases where the assets and associated Git tag cannot be changed after publication. The use of this type of release increases security by blocking supply chain attacks. Attackers cannot: +* Inject vulnerabilities or malware into current project releases. +* Make changes to assets and tags that may break developer workflows. -**Immutable releases** are releases where the assets and associated Git tag cannot be changed after publication. They increase security by blocking: -* Supply chain attacks where attackers inject vulnerabilities or malware into current project releases -* Accidental changes to assets and tags that may break developer workflows +## What immutable releases protect + +When you enable immutable releases, the following protections are enforced: + +* **Git tags cannot be moved or deleted**: Once an immutable release is published, its associated Git tag is locked to a specific commit and cannot be changed or removed. +* **Release assets cannot be modified or deleted**: All files attached to the release (such as binaries and archives) are protected from modification or deletion. Additionally, creating an immutable release automatically generates a **release attestation**, which is a cryptographically verifiable record of a release containing the release tag, commit SHA, and release assets. Consumers can use this attestation to make sure the releases and artifacts they are using exactly match the published {% data variables.product.github %} releases. +> [!NOTE] +> Immutable releases include protection against repository resurrection attacks. Even if you delete a repository and create a new one with the same name, you cannot reuse tags that were associated with immutable releases in the original repository. + If a release is immutable, you will see "{% octicon "lock" aria-hidden="true" %} Immutable" below the title on the release page. +## Best practices for publishing immutable releases + +We recommend you use the following workflow for publishing an immutable release. + +1. Create the release as a draft. +1. Attach all associated assets to the draft release. +1. Publish the draft release. + +This ensures that all assets are in place before the release becomes immutable, preventing the need to work around immutability restrictions. + ## Next steps To learn how to enable immutable releases for your repository or organization, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/preventing-changes-to-your-releases). diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/preventing-changes-to-your-releases.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/preventing-changes-to-your-releases.md index 0e9df8a3a3..8d056b8866 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/preventing-changes-to-your-releases.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/preventing-changes-to-your-releases.md @@ -3,7 +3,8 @@ title: Preventing changes to your releases shortTitle: Prevent release changes intro: 'You can enforce immutable releases for a repository or organization to prevent potential vulnerabilities.' versions: - feature: immutable-releases-preview + fpt: '*' + ghec: '*' type: overview topics: - Code Security @@ -11,8 +12,6 @@ topics: - Dependencies --- -{% data reusables.releases.immutable-releases-preview-note %} - ## Enforcing immutable releases for your repository {% data reusables.repositories.navigate-to-repo %} diff --git a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/verifying-the-integrity-of-a-release.md b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/verifying-the-integrity-of-a-release.md index 2062defa2c..5887986a03 100644 --- a/content/code-security/supply-chain-security/understanding-your-software-supply-chain/verifying-the-integrity-of-a-release.md +++ b/content/code-security/supply-chain-security/understanding-your-software-supply-chain/verifying-the-integrity-of-a-release.md @@ -3,7 +3,8 @@ title: Verifying the integrity of a release shortTitle: Verify release integrity intro: 'You can avoid tampering and accidental changes by ensuring the releases you use have not been modified after publication.' versions: - feature: immutable-releases-preview + fpt: '*' + ghec: '*' type: overview topics: - Code Security @@ -12,8 +13,6 @@ topics: defaultTool: cli --- -{% data reusables.releases.immutable-releases-preview-note %} - {% cli %} ## Prerequisites diff --git a/content/repositories/releasing-projects-on-github/managing-releases-in-a-repository.md b/content/repositories/releasing-projects-on-github/managing-releases-in-a-repository.md index d623c388f6..0095e3c82b 100644 --- a/content/repositories/releasing-projects-on-github/managing-releases-in-a-repository.md +++ b/content/repositories/releasing-projects-on-github/managing-releases-in-a-repository.md @@ -31,6 +31,13 @@ You can choose whether {% data variables.large_files.product_name_long %} ({% da ## Creating a release +{% ifversion fpt or ghec %} + +> [!TIP] +> If you have enabled immutable releases for your repository, it's recommended to create releases as drafts first, attach all assets, and then publish. This ensures all assets are in place before the release becomes immutable. For more information, see [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases). + +{% endif %} + {% webui %} {% data reusables.repositories.navigate-to-repo %} @@ -67,9 +74,11 @@ If you @mention any {% data variables.product.github %} users in the notes, the ## Editing a release -{% ifversion immutable-releases-preview %} +{% ifversion fpt or ghec %} + > [!NOTE] > If you have enabled immutable releases for your repository, you can only edit the title and release notes after a release is published. See [AUTOTITLE](/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases). + {% endif %} {% webui %} diff --git a/data/reusables/releases/finish-release.md b/data/reusables/releases/finish-release.md index ca997be59d..57d3cad504 100644 --- a/data/reusables/releases/finish-release.md +++ b/data/reusables/releases/finish-release.md @@ -4,7 +4,7 @@ 1. Optionally, if {% data variables.product.prodname_discussions %} is enabled for the repository, create a discussion for the release. * Select **Create a discussion for this release**. * Select the **Category** dropdown menu, then click a category for the release discussion. -1. If you're ready to publicize your release, click **Publish release**. To work on the release later, click **Save draft**. +1. If you're ready to publicize your release, click **Publish release**. To work on the release later, click **Save draft**.{% ifversion fpt or ghec %} If you have enabled immutable releases for the repository, creating a draft first allows you to attach all assets before the release becomes immutable.{% endif %} {%- ifversion fpt or ghec %} You can then view your published or draft releases in the releases feed for your repository. For more information, see [AUTOTITLE](/repositories/releasing-projects-on-github/viewing-your-repositorys-releases-and-tags). diff --git a/data/reusables/releases/immutable-releases-preview-note.md b/data/reusables/releases/immutable-releases-preview-note.md deleted file mode 100644 index 9b5712d664..0000000000 --- a/data/reusables/releases/immutable-releases-preview-note.md +++ /dev/null @@ -1,2 +0,0 @@ -> [!NOTE] -> Immutable releases are currently in {% data variables.release-phases.public_preview %} and subject to change.