PHP: Add artifact signing (#189)

prateek-kumar-improving · web-flow · commit 91ba67cbacda · 2026-05-06T02:07:12.000-07:00
* PHP: Add artifact signing

Signed-off-by: Prateek Kumar &lt;prateek.kumar@improving.com&gt;
diff --git a/.github/workflows/publish-pecl.yml b/.github/workflows/publish-pecl.yml
@@ -2,6 +2,8 @@ name: Build and publish extension packages
 
 permissions:
   contents: write
+  id-token: write
+  attestations: write
 
 on:
   release:
@@ -351,3 +353,9 @@ jobs:
           asset_path: ${{ steps.build-package.outputs.package-file }}
           asset_name: ${{ steps.build-package.outputs.package-file }}
           asset_content_type: application/gzip
+
+      - name: Attest package provenance
+        if: github.event_name == 'release' || (github.event_name == 'workflow_dispatch' && github.event.inputs.create-release == 'true')
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-path: ${{ steps.build-package.outputs.package-file }}
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,6 +4,7 @@
 
 ### Changes
 
+* PHP: Add Sigstore-based artifact attestation for published PECL packages
 * PHP: Pin all third-party GitHub Actions to SHA commit hashes to mitigate supply chain attacks (CWE-829)
 * PHP: Remove repo-level SECURITY.md to use org-level security policy consistently across all valkey-io repositories
 * PHP: Add FT.* (Vector Search) commands: ftCreate, ftDropIndex, ftList, ftSearch, ftAggregate, ftInfo, ftAliasAdd, ftAliasDel, ftAliasUpdate, ftAliasList for standalone and cluster clients ([#171](https://github.com/valkey-io/valkey-glide-php/pull/171))
