If you discover a security vulnerability within this project, please send an e-mail to tiago.peczenyj+github@gmail.com.

All security vulnerabilities will be promptly addressed. We request that you do not report security-related issues through public GitHub issues.

Each tagged release publishes a source archive (runtimevar-consul-vX.Y.Z.tar.gz) and a SHA256SUMS file on the Releases page. The archive ships with SLSA build provenance, signed keylessly via Sigstore, generated by the release workflow on GitHub Actions.

To verify a downloaded archive with the GitHub CLI (version 2.49 or newer), pinning the expected builder identity:

gh attestation verify runtimevar-consul-vX.Y.Z.tar.gz \
  --repo peczenyj/runtimevar-consul \
  --cert-oidc-issuer https://token.actions.githubusercontent.com \
  --cert-identity-regexp '^https://github\.com/peczenyj/runtimevar-consul/\.github/workflows/release\.yml@refs/tags/v'

The --cert-* constraints assert that the provenance was signed by this repository's release.yml workflow, running on a version tag, through GitHub's OIDC issuer — not merely that some attestation exists for the same bytes. A successful check confirms the archive was built by that workflow and has not been tampered with since.