sashaconway · sashaconway · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026 · Feb 5, 2026
diff --git a/.github/workflows/mla_release.yml b/.github/workflows/mla_release.yml
@@ -104,15 +104,6 @@ jobs:
 
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f # v1.0.6
-      if: matrix.container == null
-      with:
-        # Pin Rust toolchain for releases to a known-good previous stable release
-        # for increased stability and security.
-        # Rust does not provide an "old-stable" channel, so we explicitly specify the version (including its patch level).
-        toolchain: 1.92.0
-        # For non-release builds, use 'stable'.
-        # toolchain: stable
     - uses: microsoft/setup-msbuild@6fb02220983dee41ce7ae257b6f4d8f9bf5ed4ce # v2.0.0
       if: matrix.msvc_platform
     - name: Set target if any
@@ -142,15 +133,12 @@ jobs:
       if: matrix.container != null
       run: cargo build ${{ matrix.cargo_arg }} --manifest-path=bindings/C/Cargo.toml --target=${{ matrix.target }}
     - name: Build static library (outside container)
-      uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # v1.0.1
       if: matrix.container == null
       env:
         # RUSTC_BOOTSTRAP=1 allows use of -Z build-std on stable toolchain
         # Required because win7 targets aren't officially supported in stable
         RUSTC_BOOTSTRAP: "${{ contains(matrix.target, 'win7') && '1' || '' }}"
-      with:
-        command: build
-        args: ${{ matrix.cargo_arg }} --manifest-path=bindings/C/Cargo.toml --target=${{ matrix.target }}
+      run: cargo build ${{ matrix.cargo_arg }} --manifest-path=bindings/C/Cargo.toml --target=${{ matrix.target }}
     - name: Upload resulting 'mla'
       uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
       with:
@@ -159,7 +147,12 @@ jobs:
 
   release:
     permissions:
+      # Used to generate artifact attestation
+      attestations: write
+      # Used to upload release artifacts
       contents: write
+      # Use to sign the release artifacts
+      id-token: write
     # From https://github.com/cloudflare/wrangler/blob/master/.github/workflows/release.yml
     name: GitHub Release
     needs: build
@@ -173,11 +166,6 @@ jobs:
           echo "version=${GITHUB_REF:15}" >> $GITHUB_OUTPUT
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Get Changelog Entry
-        id: changelog_reader
-        uses: mindsers/changelog-reader-action@32aa5b4c155d76c94e4ec883a223c947b2f02656 # v2.2.3
-        with:
-          path: ./mla/CHANGELOG.md
       - name: Create Release
         id: create_release
         uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
@@ -186,9 +174,19 @@ jobs:
         with:
           tag_name: mla-${{ steps.get_version.outputs.VERSION }}
           release_name: mla-${{ steps.get_version.outputs.VERSION }}
-          body: ${{ steps.changelog_reader.outputs.changes }}
           draft: true
-
+          body: |
+            Verification of assets
+
+            This release assets are built by Github Runners and are attested so ( https://docs.github.com/en/actions/concepts/security/artifact-attestations ).
+
+            To verify the provenance and transparency of assets you download, you can run `gh attestation verify --repo ANSSI-FR/MLA <file-path>` where `<file-path>` is the file path to the downloaded asset.
+
+            To do this without a github account, you can first download the trusted root with `gh attestation trusted-root > ./trusted-root.jsonl`, download the attestation at https://github.com/ANSSI-FR/MLA/attestations to `./attestation.json` and run `gh attestation verify --repo ANSSI-FR/MLA --bundle ./attestation.json --custom-trusted-root ./trusted-root.jsonl <file-path>`.
+
+            Changelog
+
+            https://github.com/ANSSI-FR/MLA/blob/mla-${{ steps.get_version.outputs.VERSION }}/mla/CHANGELOG.md
       - name: Download linux-x86_64 artifact
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
@@ -331,3 +329,30 @@ jobs:
           asset_content_type: application/octet-stream
           asset_name: mla.hpp
 
+      - name: Attest artifacts
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        with:
+          subject-path: |
+            ./mla-linux-x86_86/libmla.a
+            ./windows-i686.zip
+            ./windows-x86_64.zip
+            ./windows-i686-debug.zip
+            ./windows-x86_64-debug.zip
+            ./windows7-i686.zip
+            ./windows7-x86_64.zip
+            ./bindings/C/mla.h
+            ./bindings/C/mla.hpp
+
+  publish:
+    name: Publish mla
+    needs: release
+    runs-on: ubuntu-24.04
+    container: rust@sha256:f58923369ba295ae1f60bc49d03f2c955a5c93a0b7d49acfb2b2a65bebaf350d # v1.92.0 : Pin to known-good previous stable release for increased stability and security
+    environment:
+      name: cratesio
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Publish to crates.io
+        run: cargo publish --package mla
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}
diff --git a/.github/workflows/mlar_release.yml b/.github/workflows/mlar_release.yml
@@ -53,15 +53,6 @@ jobs:
 
     steps:
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-    - uses: actions-rs/toolchain@b2417cde72dcf67f306c0ae8e0828a81bf0b189f # v1.0.6
-      if: matrix.container == null
-      with:
-        # Pin Rust toolchain for releases to a known-good previous stable release
-        # for increased stability and security.
-        # Rust does not provide an "old-stable" channel, so we explicitly specify the version (including its patch level).
-        toolchain: 1.92.0
-        # For non-release builds, use 'stable'.
-        # toolchain: stable
     - name: Set target if any
       # Skip rustup target add for win7 targets — rustup doesn't support these tier-3 targets
       if: matrix.target && !contains(matrix.target, 'win7')
@@ -89,15 +80,12 @@ jobs:
       if: matrix.container != null
       run: cargo build --release --all-features --package mlar --verbose ${{ matrix.cargo_build }}
     - name: Build (outside container)
-      uses: actions-rs/cargo@ae10961054e4aa8b4aa7dffede299aaf087aa33b # v1.0.1
       if: matrix.container == null
       env:
         # RUSTC_BOOTSTRAP=1 allows use of -Z build-std on stable toolchain
         # Required because win7 targets aren't officially supported in stable
         RUSTC_BOOTSTRAP: "${{ contains(matrix.target, 'win7') && '1' || '' }}"
-      with:
-        command: build
-        args: --release --all-features --package mlar --verbose ${{ matrix.cargo_build }}
+      run: cargo build --release --all-features --package mlar --verbose ${{ matrix.cargo_build }}
     - name: Upload resulting 'mlar'
       uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
       with:
@@ -106,7 +94,12 @@ jobs:
 
   release:
     permissions:
+      # Used to generate artifact attestation
+      attestations: write
+      # Used to upload release artifacts
       contents: write
+      # Use to sign the release artifacts
+      id-token: write
     # From https://github.com/cloudflare/wrangler/blob/master/.github/workflows/release.yml
     name: GitHub Release
     needs: build
@@ -120,11 +113,6 @@ jobs:
           echo "version=${GITHUB_REF:15}" >> $GITHUB_OUTPUT
       - name: Checkout code
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      - name: Get Changelog Entry
-        id: changelog_reader
-        uses: mindsers/changelog-reader-action@32aa5b4c155d76c94e4ec883a223c947b2f02656 # v2.2.3
-        with:
-          path: ./mlar/CHANGELOG.md
       - name: Create Release
         id: create_release
         uses: actions/create-release@0cb9c9b65d5d1901c1f53e5e66eaf4afd303e70e # v1.1.4
@@ -133,9 +121,19 @@ jobs:
         with:
           tag_name: mlar-${{ steps.get_version.outputs.VERSION }}
           release_name: mlar-${{ steps.get_version.outputs.VERSION }}
-          body: ${{ steps.changelog_reader.outputs.changes }}
           draft: true
-
+          body: |
+            Verification of assets
+
+            This release assets are built by Github Runners and are attested so ( https://docs.github.com/en/actions/concepts/security/artifact-attestations ).
+
+            To verify the provenance and transparency of assets you download, you can run `gh attestation verify --repo ANSSI-FR/MLA <file-path>` where `<file-path>` is the file path to the downloaded asset.
+
+            To do this without a github account, you can first download the trusted root with `gh attestation trusted-root > ./trusted-root.jsonl`, download the attestation at https://github.com/ANSSI-FR/MLA/attestations to `./attestation.json` and run `gh attestation verify --repo ANSSI-FR/MLA --bundle ./attestation.json --custom-trusted-root ./trusted-root.jsonl <file-path>`.
+
+            Changelog
+
+            https://github.com/ANSSI-FR/MLA/blob/mlar-${{ steps.get_version.outputs.VERSION }}/mlar/CHANGELOG.md
       - name: Download Linux artifact
         uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
         with:
@@ -215,3 +213,27 @@ jobs:
           asset_path: ./mlar-macos/mlar
           asset_content_type: application/octet-stream
           asset_name: mlar-macos-${{ steps.get_version.outputs.VERSION }}
+
+      - name: Attest artifacts
+        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+        with:
+          subject-path: |
+            ./mlar-linux/mlar
+            ./mlar-windows/mlar.exe
+            ./mlar-windows7-i686/mlar.exe
+            ./mlar-windows7-x86_64/mlar.exe
+            ./mlar-macos/mlar
+
+  publish:
+    name: Publish mlar
+    needs: release
+    runs-on: ubuntu-24.04
+    container: rust@sha256:f58923369ba295ae1f60bc49d03f2c955a5c93a0b7d49acfb2b2a65bebaf350d # v1.92.0 : Pin to known-good previous stable release for increased stability and security
+    environment:
+      name: cratesio
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - name: Publish to crates.io
+        run: cargo publish --package mlar
+        env:
+          CARGO_REGISTRY_TOKEN: ${{ secrets.CRATES_IO_TOKEN }}
diff --git a/.github/workflows/py-bindings.yml b/.github/workflows/py-bindings.yml
@@ -9,6 +9,8 @@ on:
   push:
     branches:
       - main
+    tags:
+      - "mla-py-bindings-v*"
   pull_request:
 
 permissions:
@@ -20,17 +22,17 @@ jobs:
     strategy:
       matrix:
         platform:
-          - runner: ubuntu-latest
+          - runner: ubuntu-24.04
             target: x86_64
-          - runner: ubuntu-latest
+          - runner: ubuntu-24.04
             target: x86
-          - runner: ubuntu-latest
+          - runner: ubuntu-24.04
             target: aarch64
-          - runner: ubuntu-latest
+          - runner: ubuntu-24.04
             target: armv7
-          - runner: ubuntu-latest
+          - runner: ubuntu-24.04
             target: s390x
-          - runner: ubuntu-latest
+          - runner: ubuntu-24.04
             target: ppc64le
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
@@ -78,6 +80,37 @@ jobs:
           mypy bindings/python/tests/test_mla.py
           mypy bindings/python/tests/test_examples.py
 
+  musllinux:
+    runs-on: ${{ matrix.platform.runner }}
+    strategy:
+      matrix:
+        platform:
+          - runner: ubuntu-24.04
+            target: x86_64
+          - runner: ubuntu-24.04
+            target: x86
+          - runner: ubuntu-24.04
+            target: aarch64
+          - runner: ubuntu-24.04
+            target: armv7
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
+        with:
+          python-version: 3.11
+      - name: Build wheels
+        uses: PyO3/maturin-action@ea5bac0f1ccd0ab11c805e2b804bfcb65dac2eab
+        with:
+          target: ${{ matrix.platform.target }}
+          args: --release --out dist --find-interpreter --manifest-path bindings/python/Cargo.toml
+          sccache: true
+          manylinux: musllinux_1_2
+      - name: Upload wheels
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
+        with:
+          name: wheels-musllinux-${{ matrix.platform.target }}
+          path: dist
+
   windows:
     runs-on: ${{ matrix.platform.runner }}
     strategy:
@@ -181,7 +214,7 @@ jobs:
           mypy bindings/python/tests/test_mla.py
           mypy bindings/python/tests/test_examples.py
   sdist:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       - name: Build sdist
@@ -193,4 +226,33 @@ jobs:
         uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: wheels-sdist
-          path: dist
+          path: dist
+
+  release:
+    name: Release py-bindings
+    runs-on: ubuntu-24.04
+    if: ${{ startsWith(github.ref, 'refs/tags/mla-py-bindings-v') }}
+    environment:
+      name: pypi
+      url: https://test.pypi.org/p/mla-archive
+    needs: [linux, musllinux, windows, macos, sdist]
+    permissions:
+      # Use to sign the release artifacts
+      id-token: write
+      # Used to upload release artifacts
+      contents: write
+      # Used to generate artifact attestation
+      attestations: write
+    steps:
+      - uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      - name: Move artifacts to dist
+        run: |
+          rm -rf dist
+          mkdir dist
+          mv wheels-*/* dist
+#      - name: Generate artifact attestation
+#        uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0
+#        with:
+#          subject-path: dist/
+      - name: publish
+        uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -174,6 +174,7 @@ jobs:
       - name: Security audit
         uses: actions-rs/audit-check@35b7b53b1e25b55642157ac01b4adceb5b9ebef3 # v1.2.0
         with:
+         ignore: RUSTSEC-2025-0144 # As documented in README, we do not care enough for side channel attacks to update to an rc version of ml-dsa. Will update when final ml-dsa version is released.
          token: ${{ secrets.GITHUB_TOKEN }}
 
   clippy:
@@ -209,4 +210,4 @@ jobs:
         run: cd mla && cargo publish --dry-run
       - name: Dry-run publish mlar
         run: cd mlar && cargo publish --dry-run
-
+