Verifying Artifacts

Every HitKeep binary and Docker image published in a GitHub Release is signed with a GitHub Artifact Attestation — a cryptographically verifiable build-provenance record linking the artifact to the exact commit, workflow run, and Actions runner that produced it.

Verifying before deployment gives you a strong guarantee that the artifact was built from the official source code and has not been tampered with in transit or in the registry.

Prerequisites

Install the GitHub CLI (gh) v2.49 or later, which includes the attestation subcommand:

gh --version

No authentication is required for public repositories.

Verifying Binaries

All hitkeep-linux-* binaries attached to a GitHub Release are attested at build time.

1. Download the binary:

# Linux AMD64
curl -L https://github.com/pascalebeier/hitkeep/releases/latest/download/hitkeep-linux-amd64 \
  -o hitkeep-linux-amd64

# Linux ARM64
curl -L https://github.com/pascalebeier/hitkeep/releases/latest/download/hitkeep-linux-arm64 \
  -o hitkeep-linux-arm64

2. Verify the attestation:

gh attestation verify hitkeep-linux-amd64 --owner pascalebeier
gh attestation verify hitkeep-linux-arm64 --owner pascalebeier

A passing result looks like:

Loaded digest sha256:<digest> for file://hitkeep-linux-amd64
✓ Verification succeeded!

The following 1 attestation(s) matched the artifact:
  - Build repo:      https://github.com/pascalebeier/hitkeep
  - Workflow:        .github/workflows/pipeline.yml
  - Ref:             refs/tags/v1.x.x
  - Signer:          https://github.com/pascalebeier/hitkeep/.github/workflows/pipeline.yml@refs/tags/v1.x.x

If verification fails for any reason the command exits with a non-zero status and prints a clear error. Do not run the binary.

Verifying Docker Images

HitKeep images are published to two registries, both carrying identical provenance attestations.

Docker Hub

gh attestation verify oci://index.docker.io/pascalebeier/hitkeep:latest \
  --owner pascalebeier

Pin to a specific version (recommended for production):

gh attestation verify oci://index.docker.io/pascalebeier/hitkeep:1.7.0 \
  --owner pascalebeier

GitHub Container Registry (GHCR)

gh attestation verify oci://ghcr.io/pascalebeier/hitkeep:latest \
  --owner pascalebeier

Tags like :latest are mutable. For maximum supply-chain security, resolve the image digest first and pin it in your compose.yml:

docker pull pascalebeier/hitkeep:latest
docker inspect --format='{{index .RepoDigests 0}}' pascalebeier/hitkeep:latest
# → pascalebeier/hitkeep@sha256:<digest>

# Then verify the digest directly:
gh attestation verify oci://index.docker.io/pascalebeier/hitkeep@sha256:<digest> \
  --owner pascalebeier

What the Attestation Proves

Claim	What it means
Repository	Built from `github.com/pascalebeier/hitkeep`
Workflow	Produced by `.github/workflows/pipeline.yml`
Ref	Corresponds to a specific tag or commit
Runner environment	Ran on a GitHub-hosted `ubuntu-latest` runner

The attestation does not prove that the binary is free of vulnerabilities — it proves the artifact originated from the official CI pipeline and has not been modified after the fact.