Guides

Attest your own Composer package

If you publish a Composer package, you can attest its provenance so consumers can verify it. k2gl/composer-attest-action does the whole thing in one line.

Add the workflow

Create .github/workflows/attest.yml, triggered on version tags:

name: Attest
on:
  push:
    tags: ['[0-9]*.[0-9]*.[0-9]*']
permissions:
  id-token: write        # request the Sigstore signing certificate
  attestations: write    # record the attestation
  contents: write        # attach signed assets to the release
jobs:
  attest:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
        with: { persist-credentials: false }
      - uses: k2gl/composer-attest-action@v1

Why it matters

The crucial detail: Composer installs the dist zipball (api.github.com/repos/{owner}/{repo}/zipball/{commit}), not a release tarball. The action attests both, so a verifier checking what Composer actually downloaded finds a matching attestation — signed by your repository’s own GitHub Actions identity, recorded in Sigstore’s public transparency log. No keys to manage.

Consumers then verify with k2gl/composer-attest. See the supply-chain overview.