From bd096c3012a89ee457a8c51aadebcb25fe658a9e Mon Sep 17 00:00:00 2001
From: Max Goedjen <max.goedjen@gmail.com>
Date: Sat, 23 Aug 2025 15:07:09 -0700
Subject: [PATCH] Add attestation info to readme (#620)

* Update README.md

* Enhance README with attestation visibility details

* Update README to clarify build process and attestations
---
 README.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/README.md b/README.md
index 50c32b2..21b10ea 100644
--- a/README.md
+++ b/README.md
@@ -49,7 +49,7 @@ There's a [FAQ here](FAQ.md).
 
 ### Auditable Build Process
 
-Builds are produced by GitHub Actions with an auditable build and release generation process. Each build has a "Document SHAs" step, which will output SHA checksums for the build produced by the GitHub Action, so you can verify that the source code for a given build corresponds to any given release.
+Builds are produced by GitHub Actions with an auditable build and release generation process. Starting with Secretive 3.0, builds are attested using [GitHub Artifact Attestation](https://docs.github.com/en/actions/concepts/security/artifact-attestations). Attestations are viewable in the build log for a build, and also on the [main attestation page](https://github.com/maxgoedjen/secretive/attestations).
 
 ### A Note Around Code Signing and Keychains