Details

Automate post-quantum code signing and software supply chain attestation for GitHub repositories and release artifacts. This workflow asks the user which GitHub repository, branch, tag, or specific file they want to certify, downloads the content using the GitHub Repo Browser tool, and signs it with the Quantum-Safe File Attestation tool using ML-DSA-65 (Dilithium3) post-quantum digital signatures via hardware security module. Returns a verifiable attestation package containing a cryptographic manifest, digital signature, and verification bundle with a downloadable certificate link. Use cases include software release signing, open source distribution integrity, SBOM attestation, build artifact certification, code audit compliance evidence, CI/CD pipeline integrity verification, regulatory submission of source code, DevSecOps supply chain security, and tamper-proof repository snapshots for legal or IP protection.