Issue
The Obsidian plugin release process doesn't require artifact attestation, creating a risk that release builds might not match the source code (due to dev error or intent).
The new Community dashboard nicely highlights plugins lacking this attestation for transparency. Since some developers may not be familiar with artifact attestation yet, it would be great to provide a guide or documentation to help them get started when building new plugins.
Suggestion
Add a Github actions workflow to the plugin template to make it easy for any dev to publish releases with artifact attestation, to make attestation the default practice
#.github/workflows/release.yml
name: Build and Release Obsidian Plugin
on:
push:
tags:
- "*" # Triggers when you push a tag (e.g., 1.0.1)
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: write # Needed to create the GitHub Release
id-token: write # Needed to mint OIDC token for Sigstore
attestations: write # Needed to publish the attestation
steps:
- name: Checkout Code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: "lts/*"
cache: "npm" # Speeds up subsequent runs
- name: Install Dependencies
run: npm ci
- name: Build Plugin
run: npm run build
- name: Attest Plugin Artifacts
uses: actions/attest-build-provenance@v4
with:
subject-path: |
main.js
manifest.json
styles.css
- name: Create GitHub Release
uses: softprops/action-gh-release@v2
with:
generate_release_notes: true # Delete this line to prevent automated release notes
files: |
main.js
manifest.json
styles.css
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}And add release instructions to README
## Release Process
1. Update Versions
- Update version in manifest.json and package.json.
2. Commit and Push
git add .
git commit -m "release: v1.x.x"
git push origin main
3. Tag and Trigger
git tag 1.x.x
git push origin 1.x.x
4. Finalize
- Check GitHub Actions tab for success.
- Edit the new GitHub Release to add notes.
## Troubleshooting
To delete a failed tag and retry:
git push --delete origin 1.x.x
git tag -d 1.x.xI've tested the above flow with an existing plugin and it is passing the artifact attestation scan
Concern
Too opinionated? Adding as a workflow would trigger automated releases on tag push
Issue
The Obsidian plugin release process doesn't require artifact attestation, creating a risk that release builds might not match the source code (due to dev error or intent).
The new Community dashboard nicely highlights plugins lacking this attestation for transparency. Since some developers may not be familiar with artifact attestation yet, it would be great to provide a guide or documentation to help them get started when building new plugins.
Suggestion
Add a Github actions workflow to the plugin template to make it easy for any dev to publish releases with artifact attestation, to make attestation the default practice
And add release instructions to README
I've tested the above flow with an existing plugin and it is passing the artifact attestation scan
Concern
Too opinionated? Adding as a workflow would trigger automated releases on tag push