Skip to content

ci: migrate from SLSA provenance to actions/attest with subject-path#16

Merged
keelerm84 merged 11 commits into
mainfrom
devin/1774991587-immutable-releases
Apr 2, 2026
Merged

ci: migrate from SLSA provenance to actions/attest with subject-path#16
keelerm84 merged 11 commits into
mainfrom
devin/1774991587-immutable-releases

Conversation

@keelerm84

@keelerm84 keelerm84 commented Mar 31, 2026

Copy link
Copy Markdown
Member

Summary

Supports GitHub's immutable releases by migrating provenance attestation from slsa-framework/slsa-github-generator to actions/attest@v4. Since this repo only uses attestation (no binary/artifact uploads to the release), draft releases are not needed — actions/attest@v4 stores attestations via GitHub's attestation API, not as release assets.

Changes in .github/workflows/publish.yml:

  • Removed the separate provenance job that called slsa-framework/slsa-github-generator and uploaded a .intoto.jsonl file as a release asset.
  • Added an inline Attest build provenance step directly in the publish job, using subject-path: 'nupkgs/*' to reference built NuGet packages on disk.
  • Added attestations: write permission.
  • Removed unused tag input from both workflow_dispatch and workflow_call triggers.
  • Uses format('{0}', inputs.dry_run) == 'false' for the dry_run condition to handle both boolean (workflow_call) and string (workflow_dispatch) input types correctly.

Changes in .github/workflows/release-please.yml:

  • Removed dead tag_name output from the release-please job (no longer consumed by any downstream job).
  • Removed the tag: parameter from the publish.yml caller.

Changes in .github/actions/publish/action.yml:

  • Removed the hashes output and "Hash nuget packages" step. These existed to produce base64-encoded checksums for the old SLSA generator and are no longer needed — subject-path lets actions/attest@v4 compute checksums from files on disk directly.

New documentation:

  • Added PROVENANCE.md with instructions for verifying build provenance using gh attestation verify, including example commands and sample output.
  • Added a "Verifying build provenance with the SLSA framework" section to README.md linking to PROVENANCE.md.

Review & Testing Checklist for Human

  • Verify subject-path: 'nupkgs/*' matches the actual build output: The composite action runs dotnet pack --output nupkgs, producing .nupkg and .snupkg files. Confirm the glob nupkgs/* resolves correctly from the workflow's working directory (the repo root). If the path is relative to a different directory, attestation will silently produce no subjects.
  • Verify the PROVENANCE.md version placeholder: The file uses x-release-please-start-version with SDK_VERSION=2.0.0. Confirm this matches the current/next release version and that release-please will update it correctly on future releases.
  • Test end-to-end with a dry-run or fork release: The attestation step only executes when dry_run == 'false', so it cannot be validated by CI on a feature branch. Trigger a manual workflow run (with dry_run: true first to verify no regressions, then dry_run: false on a fork or test tag) to confirm attestation is created successfully and gh attestation verify works as documented in PROVENANCE.md.

Notes

  • This follows the simplified attestation-only pattern: since actions/attest@v4 does not modify GitHub releases, no draft release workflow is needed for this repo.
  • force-tag-creation and draft are intentionally not set in release-please-config.json — they are only needed for repos that upload artifacts to releases.
  • The format('{0}', inputs.dry_run) pattern stringifies the input regardless of source type, ensuring == 'false' works for both workflow_call (boolean) and workflow_dispatch (string) triggers.

Link to Devin session: https://app.devin.ai/sessions/7d5bda4d9dbe4ae0b950b30a50485e60
Requested by: @keelerm84

@devin-ai-integration

Copy link
Copy Markdown
Contributor

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@devin-ai-integration devin-ai-integration Bot added the devin-pr PR created by Devin label Mar 31, 2026
Since actions/attest@v4 stores attestations via GitHub's attestation API
(not as release assets), repos that only use attestation don't need draft
releases. Release-please can publish the release directly.

Changes:
- Remove draft:true from release-please-config.json
- Remove create-tag job/steps (force-tag-creation handles this)
- Remove publish-release job (release is published directly)
- Remove publish_release input from manual workflows
@devin-ai-integration devin-ai-integration Bot changed the title ci: use draft releases to support immutable GitHub releases ci: migrate to actions/attest and add force-tag-creation Mar 31, 2026
force-tag-creation only operates in conjunction with draft releases.
Since this repo does not use draft releases (attestation-only, no
artifact uploads to the release), force-tag-creation is not needed.
@devin-ai-integration devin-ai-integration Bot changed the title ci: migrate to actions/attest and add force-tag-creation ci: migrate from SLSA provenance to actions/attest Mar 31, 2026
@devin-ai-integration devin-ai-integration Bot changed the title ci: migrate from SLSA provenance to actions/attest ci: migrate from SLSA provenance to actions/attest with subject-path Mar 31, 2026
@kinyoklion kinyoklion marked this pull request as ready for review April 1, 2026 17:38
id-token: write # Needed if using OIDC to get release secrets.
contents: write # Contents and pull-requests are for release-please to make releases.
pull-requests: write
attestations: write

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing artifact-metadata: write permission for actions/attest@v4

High Severity

actions/attest@v4 requires three permissions: id-token: write, attestations: write, and artifact-metadata: write. The workflow adds attestations: write but omits artifact-metadata: write, which is a new requirement introduced in v4 and is needed to create the artifact storage record. Without it, the Attest build provenance step will fail at runtime.

Fix in Cursor Fix in Web

Comment thread .github/workflows/publish.yml
Comment thread .github/workflows/release-please.yml

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

Fix All in Cursor

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Comment thread PROVENANCE.md
@keelerm84 keelerm84 merged commit 560e9e5 into main Apr 2, 2026
7 checks passed
@keelerm84 keelerm84 deleted the devin/1774991587-immutable-releases branch April 2, 2026 16:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

devin-pr PR created by Devin

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants