Installation
There are four supported ways to get CI/lock running.
Verify the `cilock` binary
How CI/lock dogfoods its own release pipeline — every `cilock` binary you download from GitHub is signed via Sigstore Fulcio with the workflow's OIDC identity, comes with a Verification Summary Attestation (VSA) CI/lock produced by verifying itself against a 5-layer release policy, and ships a signed install.sh that scripts the cosign verification step before extraction.
Your first attestation
Intro
CI quickstart
The fastest path from a vanilla GitHub Actions workflow to signed evidence. This page shows one copy-pasteable workflow that produces a signed attestation around a single build step, then points to the dropbox-clone reference for the fuller multi-step pattern.