Immutable releases are now generally available on GitHub

GitHub just put a big padlock on software releases with new immutable releases — once you publish, you can’t secretly swap files or move tags. There’s also a cryptographic receipt called an attestation so anyone can verify a release is legit using the GitHub CLI or Sigstore. It’s opt-in at the repo or org level, and old releases stay as-is unless republished. Security win, right? The comments did not hold back. The top-voted vibe: pure shock. One user basically screamed, “Wait, they weren’t already immutable?!” Others clapped, saying this closes a major supply-chain hole where bad actors could quietly slip in altered downloads. But the celebration had a heckler section: a jaded crowd says “cool feature, wrong priorities,” dragging GitHub’s code review experience and pining for a simpler, pre-rewrite era. Meanwhile, practical folks asked for receipts in the UI: a visible badge to show a repo uses immutability and whether Actions ran on GitHub’s own machines or a private runner. The policy nerds stirred drama too: why block deletion entirely, and how does that stop real attacks? The thread reads like security prom meets product therapy session — applause, eye-rolls, and feature requests flying. More details live on GitHub Docs and the Community forum.