> > > I worked on an automated release workflow[^1] for php-src a few years > ago, but after discussions with others from various major project > communities (including Apache, Linux, etc.), I realized the solution > wasn't workable for one main reason: > > An automated workflow cannot sign builds and still be considered secure. > > Builds must be signed by a human on the machine where the build took > place. Automating the signatures in the cloud significantly reduces > trust and greatly increases the likelihood of a bad actor gaining access > to sneak things into the build (e.g., through compromised GitHub > Actions, etc.). >
I strongly disagree. I have way more trust in an automatic build environment with reproducible (key word here) builds than in a (potentially corruptible) human that pinkie swears no changes were made to an autogenerated configure contained in released tarballs. >
