Immutable releases

Learn about immutable releases and how they can help you maintain the integrity of your software supply chain.

Note

Immutable releases are currently in public preview and subject to change.

Immutable releases are releases where the assets and associated Git tag cannot be changed after publication. They increase security by blocking:

  • Supply chain attacks where attackers inject vulnerabilities or malware into current project releases
  • Accidental changes to assets and tags that may break developer workflows

Additionally, creating an immutable release automatically generates a release attestation, which is a cryptographically verifiable record of a release containing the release tag, commit SHA, and release assets. Consumers can use this attestation to make sure the releases and artifacts they are using exactly match the published GitHub releases.

If a release is immutable, you will see " Immutable" below the title on the release page.

Next steps

To learn how to enable immutable releases for your repository or organization, see Preventing changes to your releases.

To learn how to ensure a release and local assets have not been changed, see Verifying the integrity of a release.