Enable release immutability #1739
Description
The problem
GItHub has a different feature for supply chain security apparently. I just refer to #1685 for details on the problem it can solve.
The solution
There is a single checkbox we can enable to make sure releases cannot be modified/deleted anymore once published (the last part is important).
The important thing to note:
Additionally, creating an immutable release automatically generates a release attestation, which is a cryptographically verifiable record of a release containing the release tag, commit SHA, and release assets
Alternatives
Full GitHub attestation: #1685 (I am unsure how that exactly works though if you combine it with the checkbox.)
Additional context
If I understand the text ear the checkbox, correctly, this should not interrupt our workflow:
Disallow assets and tags from being modified once a release is published.
If I understand it correctly, thus, draft releases can still be edited or do I read that wrong?
As our workflow publishes a draft first for PGP signatures etc. to attach that would be very much what we want…
Actually the docs describe exactly that "draft first" way as how one should handle releases in such a case.