GitHub has rolled out immutable releases, enhancing supply chain security for software distribution. With this feature, once a release is marked as immutable, its assets and tags cannot be altered or deleted. This guards against supply chain attacks, ensuring that the software published remains unchanged and reliable for users. The key benefits include the protection of assets and tags, which are locked after publication. Existing releases continue to be mutable unless explicitly republished as immutable. When enabled, all new releases default to being immutable, giving developers peace of mind that their work is safeguarded from unauthorized modifications. Additionally, each immutable release comes with signed attestations, allowing users to verify the authenticity and integrity of the assets involved. For developers looking to implement this feature, it can be activated at the repository or organization level in the settings. GitHub also supports release attestations using the Sigstore bundle format, enabling easy verification both within GitHub and through external tools. Instructions for verifying release integrity are available in their documentation, streamlining the process for integration into CI/CD workflows. Feedback from users is encouraged, and there's a dedicated space for community questions and suggestions.