The erlef/setup-beam Action currently has no way to check authenticity of the downloaded builds. It could theoretically read the SHAs from the builds.txt, but since that is delivered using the same domain, that would add little protection.
Usually I would now recommend to setup actions/attest, but since bob builds outside of GitHub, that does not work.
One solution would be to sign (GPG / RSA or something) the builds.txt with a known keypair. That way clients can check the builds.txt signature, read the SHAs and therefore also trust the builds themselves.
The
erlef/setup-beamAction currently has no way to check authenticity of the downloaded builds. It could theoretically read the SHAs from the builds.txt, but since that is delivered using the same domain, that would add little protection.Usually I would now recommend to setup
actions/attest, but since bob builds outside of GitHub, that does not work.One solution would be to sign (GPG / RSA or something) the builds.txt with a known keypair. That way clients can check the builds.txt signature, read the SHAs and therefore also trust the builds themselves.