GitHub releases now support immutability, adding a new layer of supply chain security. With immutable releases, assets and tags are protected from tampering after publication, so the software you publish—and your users consume—remains secure and trustworthy.
Immutable releases offer:
Immutable assets : Once you publish a release as immutable, its assets can’t be added, modified, or deleted. This helps protect distributed artifacts from supply chain attacks.
: Once you publish a release as immutable, its assets can’t be added, modified, or deleted. This helps protect distributed artifacts from supply chain attacks. Tag protection : Tags for new immutable releases are protected and can’t be deleted or moved.
: Tags for new immutable releases are protected and can’t be deleted or moved. Release attestations: Immutable releases receive signed attestations so you can easily verify the authenticity and integrity of assets, both on GitHub and in external environments.
You can enable immutable releases at the repository or organization level in your settings. Once enabled:
All new releases are immutable (i.e., assets are locked and tags are protected).
Existing releases remain mutable unless you republish them.
Disabling immutability doesn’t affect releases created while it was enabled. They remain immutable.
Release attestations let you verify that an artifact is authentic and unchanged, even outside GitHub. Attestations use the Sigstore bundle format, so you can easily verify releases and assets using the GitHub CLI or integrate with any Sigstore-compatible tooling to automate policy enforcement in your CI/CD pipelines. For instructions on how to verify the integrity of a release, see our docs on verifying the integrity of a release.
... continue reading