ci: switch from SLSA provenance to actions/attest with subject-path#377
ci: switch from SLSA provenance to actions/attest with subject-path#377
Conversation
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Since actions/attest@v4 stores attestations via GitHub's attestation API (not as release assets), repos that only use attestation don't need draft releases. Release-please can publish the release directly. Changes: - Remove draft:true from release-please-config.json - Remove create-tag job/steps (force-tag-creation handles this) - Remove publish-release job (release is published directly) - Remove publish_release input from manual workflows
devin-ai-integration
bot
changed the title
force-tag-creation only operates in conjunction with draft releases. Since this repo does not use draft releases (attestation-only, no artifact uploads to the release), force-tag-creation is not needed.
devin-ai-integration
bot
changed the title
devin-ai-integration
bot
changed the title
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
| permissions: | ||
| id-token: write # Needed if using OIDC to get release secrets. | ||
| contents: write # Contents and pull-requests are for release-please to make releases. | ||
| attestations: write # Needed for actions/attest. |
There was a problem hiding this comment.
Missing artifact-metadata: write permission for actions/attest@v4
Medium Severity
Both workflows declare id-token: write and attestations: write for actions/attest@v4, but are missing the artifact-metadata: write permission. Since January 2026, GitHub requires this fine-grained permission for creating artifact storage records, and the contents: write fallback was deprecated in February 2026. Without it, the "Attest build provenance" step will likely fail with a permissions error, resulting in releases without attestation.
Additional Locations (1)
1 participant
Requirements
N/A — CI-only changes, no application code or tests affected.
Related issues
Supports the org-wide migration to immutable GitHub releases. Once immutable releases are enabled, artifacts can no longer be uploaded after a release is published. This repo only uses attestation (no binary/artifact uploads to the release), so
actions/attest@v4— which stores attestations via GitHub's attestation API rather than as release assets — is compatible with immutable releases without needing draft releases.Describe the solution you've provided
Changes across four files:
release-please-config.json— Reformattedextra-filesarray to multi-line (no functional change)..github/actions/publish/action.yml— Removed thegem-hashoutput and "Hash gem for provenance" step. These existed to produce base64-encoded checksums for the old SLSA generator and are no longer needed since attestation now usessubject-pathdirectly..github/workflows/release-please.yml— In thepublishjob:release-provenancejob (SLSAgenerator_generic_slsa3reusable workflow withupload-assets: true) with an inlineactions/attest@v4step usingsubject-path: 'launchdarkly-server-sdk-*.gem'.attestations: writepermission.fetch-depth: 0to the checkout step.gem-hashfrom job outputs.upload-tag-nameoutput (was only consumed by the now-removedrelease-provenancejob). Therelease-createdoutput is retained as it is still used by downstream jobs..github/workflows/manual-publish.yml— Same attestation migration:release-provenancejob with an inlineactions/attest@v4step usingsubject-pathgated on!inputs.dry_run.attestations: writepermission.gem-hashfrom job outputs.Why
subject-pathinstead ofsubject-checksums?The previous approach used a base64 encode/decode round-trip inherited from the old SLSA generator: the composite action hashed artifacts and base64-encoded the checksums, then the workflow decoded them into a checksums file for
actions/attest. Sinceactions/attest@v4supportssubject-path— which accepts file globs and computes checksums internally — the entire round-trip is eliminated. The globlaunchdarkly-server-sdk-*.gemmatches the built gem files directly on disk.Why no draft releases?
The old SLSA generator uploaded
.intoto.jsonlprovenance files as release assets (viaupload-assets: true), which would fail under immutable releases. The newactions/attest@v4stores attestations via GitHub's attestation API instead — it does not modify the GitHub release. Since this repo has no other artifact uploads, the release can be published directly by release-please without a draft→publish flow.Describe alternatives you've considered
subject-checksums: An earlier revision decoded base64 hashes into a checksums file foractions/attest. This worked but was unnecessarily complex since the artifact files are already on disk in the same job.publish-releasejob. Simplified since this repo only uses attestation, not artifact uploads.actions/attest@v4is the org-standard replacement and runs inline without requiring a separate job.Additional context
subject-path: 'launchdarkly-server-sdk-*.gem'glob must match all gem files produced by the build (both CRuby and JRuby variants). The existing publish action already uses the samelaunchdarkly-server-sdk-*.gemglob forgem push, so this should be consistent.fetch-depth: 0was added to the checkout inrelease-please.yml'spublishjob. Verify this is still needed now that the create-tag step has been removed — it may be unnecessary overhead.ifguard on attestation inrelease-please.yml: TheAttest build provenancestep runs unconditionally within thepublishjob (which is itself gated onrelease-created == 'true'). The manual workflow correctly gates on!inputs.dry_run. Confirm this asymmetry is acceptable.actions/attest@v4is referenced by major version tag (not pinned SHA), consistent with existingactions/checkout@v4usage in this repo.upload-tag-namewas removed fromrelease-please.ymloutputs since its only consumer (release-provenancejob) was removed.release-createdis kept since it gates downstreambuild-ruby-gem,build-jruby-gem, andpublishjobs.Link to Devin session: https://app.devin.ai/sessions/7d5bda4d9dbe4ae0b950b30a50485e60
Requested by: @keelerm84
Note
Medium Risk
Moderate risk because it changes the release/publish GitHub Actions flow and provenance generation; a misconfigured
subject-pathor permissions could break releases or omit attestations.Overview
Switches release provenance generation from the SLSA reusable workflow to an inline
actions/attest@v4step in bothrelease-please.ymlandmanual-publish.yml, grantingattestations: writeand attesting the built gems viasubject-path: 'launchdarkly-server-sdk-*.gem'.Removes the composite publish action’s gem hashing output and deletes workflow wiring (
gem-hashoutputs and the standalonerelease-provenancejob) that existed only to feed the old SLSA generator;release-please-config.jsonis reformatted with no functional change.Written by Cursor Bugbot for commit 609b876. This will update automatically on new commits. Configure here.