ci: implement immutable releases support with actions/attest#413
ci: implement immutable releases support with actions/attest#413
Conversation
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Since actions/attest@v4 stores attestations via GitHub's attestation API (not as release assets), repos that only use attestation don't need draft releases. Release-please can publish the release directly. Changes: - Remove draft:true from release-please-config.json - Remove create-tag job/steps (force-tag-creation handles this) - Remove publish-release job (release is published directly) - Remove publish_release input from manual workflows
devin-ai-integration
bot
changed the title
force-tag-creation only operates in conjunction with draft releases. Since this repo does not use draft releases (attestation-only, no artifact uploads to the release), force-tag-creation is not needed.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
|
|
||
| - name: Publish package distributions to PyPI | ||
| if: ${{ inputs.dry_run == false }} | ||
| if: ${{ format('{0}', inputs.dry_run) == 'false' }} |
There was a problem hiding this comment.
Unused id: build step identifiers after output removal
Low Severity
The id: build on the build step is now dead code. It previously existed so the workflow could reference steps.build.outputs.package-hashes, but this PR removed that output from the build action. A grep for steps.build across .github/ confirms nothing references it anymore. Since this PR is specifically cleaning up orphaned references (outputs, jobs), this leftover id appears to be an oversight in the same cleanup.
Additional Locations (1)
2 participants
Requirements
N/A — CI-only and documentation changes, no application code or tests affected.
Related issues
Supports the org-wide migration to immutable GitHub releases. Reference implementation:
launchdarkly/ld-relay(branchv8).Describe the solution you've provided
GitHub's immutable releases feature prevents modifying a release after it is published. This repo only uses attestation (no binary/artifact uploads to the release), so
actions/attest@v4— which stores attestations via GitHub's attestation API rather than as release assets — is compatible with immutable releases without needing draft releases.This PR makes the following changes:
SLSA →
actions/attest@v4(both workflows): Replaced the separaterelease-provenancejob (usingslsa-framework/slsa-github-generatorreusable workflow withupload-assets: true) with inlineactions/attest@v4steps within the build job. Attestation now usessubject-path: 'dist/*'to reference the built distribution files directly on disk, eliminating the old base64-encoded hash round-trip entirely.Removed hash outputs from build action: The
package-hashesoutput and "Hash build files for provenance" step were removed from.github/actions/build/action.ymlsincesubject-pathreads files directly rather than requiring pre-computed checksums.attestations: writepermission: Added to both workflows to supportactions/attest@v4.Removed orphaned job outputs from
release-please.yml: Therelease-created,upload-tag-name, andpackage-hashesoutputs were only consumed by the now-removedrelease-provenancejob. All three have been removed.Removed orphaned
package-hashesoutput frommanual-publish.yml: Similarly unused after removing therelease-provenancejob.Updated
PROVENANCE.mdandREADME.md: Replaced all SLSA framework references with GitHub artifact attestation documentation. Verification instructions now usegh attestation verify ... --owner launchdarklyinstead ofslsa-verifier. Sample output reflects the realgh attestation verifyformat including policy criteria and attestation details.dry_runcondition fix: Usesformat('{0}', inputs.dry_run) == 'false'to safely handle the boolean/string mismatch betweenworkflow_call(boolean) andworkflow_dispatch(string) trigger types.Key things for reviewer to verify:
subject-path: 'dist/*'correctly matches thepoetry buildoutput (.tar.gzand.whlfiles in./dist/).release-createdorupload-tag-namejob outputs fromrelease-please.yml. These were only consumed by therelease-provenancejob within this workflow.gh attestation verifyoutput from ld-relay. The repo/workflow names are adapted for this repo but haven't been verified against an actual attested release yet.force-tag-creationis needed for this repo sinceactions/attest@v4does not upload assets to the GitHub release.Updates since last revision
PROVENANCE.mdto usegh attestation verify --owner launchdarklywith the full real output template (policy criteria, attestation details) instead of a simplified placeholder.README.mdprovenance section heading and description to reference GitHub artifact attestations instead of the SLSA framework.taginput frommanual-publish.yml(flagged by Cursor Bugbot as dead code).release-createdandupload-tag-namejob outputs fromrelease-please.yml.dry_runconditions to useformat('{0}', inputs.dry_run) == 'false'for correct boolean/string handling across trigger types.Describe alternatives you've considered
An earlier revision used draft releases with a
publish-releasejob to un-draft after completion. This was simplified since this repo only uses attestation (not artifact uploads), so draft releases are unnecessary.An intermediate revision used
subject-checksumswith a checksums file (base64 decode of hashes computed in the build action). This was replaced withsubject-pathsince the artifacts are on disk in the same job, making the hash round-trip redundant.The verify command could use
-R launchdarkly/python-server-sdkto scope verification to this specific repo, but--owner launchdarklywas chosen for consistency across all LaunchDarkly SDK repos.Additional context
No application code or test changes. Only CI workflow files and documentation are modified.
Link to Devin session: https://app.devin.ai/sessions/7d5bda4d9dbe4ae0b950b30a50485e60
Requested by: @keelerm84
Note
Medium Risk
Changes the release/publish CI provenance mechanism and required workflow permissions, which could affect publishing/attestation behavior if misconfigured. No application runtime code changes.
Overview
Migrates build provenance generation from the SLSA reusable workflow (hash-based, release-asset upload) to GitHub artifact attestations via
actions/attest@v4in bothmanual-publish.ymlandrelease-please.yml, attesting the localdist/*artifacts.Removes the build action’s
package-hashesoutput and hashing step, deletes the separaterelease-provenancejob/related job outputs, addsattestations: writepermissions, and updatesPROVENANCE.mdto verify withgh attestation verify(plus a smalldry_runconditional fix for manual publishing).Written by Cursor Bugbot for commit 1e7fd43. This will update automatically on new commits. Configure here.