ci: migrate from SLSA provenance to actions/attest with subject-path#16
Conversation
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Since actions/attest@v4 stores attestations via GitHub's attestation API (not as release assets), repos that only use attestation don't need draft releases. Release-please can publish the release directly. Changes: - Remove draft:true from release-please-config.json - Remove create-tag job/steps (force-tag-creation handles this) - Remove publish-release job (release is published directly) - Remove publish_release input from manual workflows
force-tag-creation only operates in conjunction with draft releases. Since this repo does not use draft releases (attestation-only, no artifact uploads to the release), force-tag-creation is not needed.
| id-token: write # Needed if using OIDC to get release secrets. | ||
| contents: write # Contents and pull-requests are for release-please to make releases. | ||
| pull-requests: write | ||
| attestations: write |
There was a problem hiding this comment.
Missing artifact-metadata: write permission for actions/attest@v4
High Severity
actions/attest@v4 requires three permissions: id-token: write, attestations: write, and artifact-metadata: write. The workflow adds attestations: write but omits artifact-metadata: write, which is a new requirement introduced in v4 and is needed to create the artifact storage record. Without it, the Attest build provenance step will fail at runtime.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.


Summary
Supports GitHub's immutable releases by migrating provenance attestation from
slsa-framework/slsa-github-generatortoactions/attest@v4. Since this repo only uses attestation (no binary/artifact uploads to the release), draft releases are not needed —actions/attest@v4stores attestations via GitHub's attestation API, not as release assets.Changes in
.github/workflows/publish.yml:provenancejob that calledslsa-framework/slsa-github-generatorand uploaded a.intoto.jsonlfile as a release asset.Attest build provenancestep directly in thepublishjob, usingsubject-path: 'nupkgs/*'to reference built NuGet packages on disk.attestations: writepermission.taginput from bothworkflow_dispatchandworkflow_calltriggers.format('{0}', inputs.dry_run) == 'false'for the dry_run condition to handle both boolean (workflow_call) and string (workflow_dispatch) input types correctly.Changes in
.github/workflows/release-please.yml:tag_nameoutput from therelease-pleasejob (no longer consumed by any downstream job).tag:parameter from thepublish.ymlcaller.Changes in
.github/actions/publish/action.yml:hashesoutput and "Hash nuget packages" step. These existed to produce base64-encoded checksums for the old SLSA generator and are no longer needed —subject-pathletsactions/attest@v4compute checksums from files on disk directly.New documentation:
PROVENANCE.mdwith instructions for verifying build provenance usinggh attestation verify, including example commands and sample output.README.mdlinking toPROVENANCE.md.Review & Testing Checklist for Human
subject-path: 'nupkgs/*'matches the actual build output: The composite action runsdotnet pack --output nupkgs, producing.nupkgand.snupkgfiles. Confirm the globnupkgs/*resolves correctly from the workflow's working directory (the repo root). If the path is relative to a different directory, attestation will silently produce no subjects.PROVENANCE.mdversion placeholder: The file usesx-release-please-start-versionwithSDK_VERSION=2.0.0. Confirm this matches the current/next release version and that release-please will update it correctly on future releases.dry_run == 'false', so it cannot be validated by CI on a feature branch. Trigger a manual workflow run (withdry_run: truefirst to verify no regressions, thendry_run: falseon a fork or test tag) to confirm attestation is created successfully andgh attestation verifyworks as documented inPROVENANCE.md.Notes
actions/attest@v4does not modify GitHub releases, no draft release workflow is needed for this repo.force-tag-creationanddraftare intentionally not set inrelease-please-config.json— they are only needed for repos that upload artifacts to releases.format('{0}', inputs.dry_run)pattern stringifies the input regardless of source type, ensuring== 'false'works for bothworkflow_call(boolean) andworkflow_dispatch(string) triggers.Link to Devin session: https://app.devin.ai/sessions/7d5bda4d9dbe4ae0b950b30a50485e60
Requested by: @keelerm84