One thing that bugged me when I made a community plugin was that you have to attach non-git-controlled files to the release (e.g. main.js).

To check if any community plugin is safe, it seems like you'd have to not only review the code on github, but also analyze the github release files to be sure nothing malicious packed in there.

Maybe I'm misunderstanding something about the process, I'd appreciate if anyone could confirm or explain otherwise.

▲

kepano 5 hours ago | parent [-]

The recommended way to do this is via artifact attestation:

https://docs.github.com/en/actions/how-tos/secure-your-work/...

▲

dsp_person 5 hours ago | parent [-]

Thanks that's interesting. The docs are aimed at developers, but I'm curious about the use case for the end user.

So would a user have to do some kind of `gh attestation verify PATH/TO/YOUR/BUILD/ARTIFACT-BINARY ...`? (assuming the plugin dev provides an sbom?)

	▲	kepano 5 hours ago \| parent [-]
		In the near term artifact attestation will be visible to users in the directory, and part of the overall scorecard of a plugin.