Skip to content

ci: implement immutable releases support with actions/attest #413

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
keelerm84 merged 16 commits into from
Apr 6, 2026
Merged

ci: implement immutable releases support with actions/attest #413

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
8b27a20
ci: use draft releases to support immutable GitHub releases
keelerm84 Mar 31, 2026
6698515
ci: add force-tag-creation and publish_release option
keelerm84 Mar 31, 2026
fda68d7
ci: simplify for attestation-only releases (no draft needed)
keelerm84 Mar 31, 2026
6378f68
ci: remove force-tag-creation from attestation-only repo
keelerm84 Mar 31, 2026
21f2567
ci: switch from subject-checksums to subject-path for attestation
keelerm84 Mar 31, 2026
6a189a1
ci: remove unused tag input and orphaned job outputs
keelerm84 Apr 1, 2026
efadac5
ci: fix inconsistent dry_run condition style
keelerm84 Apr 1, 2026
3e77b7b
ci: use format() for dry_run conditions to handle both string and boo…
keelerm84 Apr 1, 2026
2bfd140
docs: update PROVENANCE.md and README.md for GitHub artifact attestat…
keelerm84 Apr 1, 2026
59d9245
docs: use real gh attestation verify output template and --owner flag
keelerm84 Apr 1, 2026
1e7fd43
docs: restore original SLSA framework text in README.md
keelerm84 Apr 1, 2026
429a12d
ci: apply split release-please pattern for immutable releases
keelerm84 Apr 6, 2026
31b6111
ci: use release_created consistently in single-package repo
keelerm84 Apr 6, 2026
26ca14f
Revert "ci: use release_created consistently in single-package repo"
keelerm84 Apr 6, 2026
ecee684
Revert "ci: apply split release-please pattern for immutable releases"
keelerm84 Apr 6, 2026
376a848
ci: remove unused step IDs and fix stale permission comments
keelerm84 Apr 6, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 0 additions & 10 deletions .github/actions/build/action.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,19 +1,9 @@
name: Build distribution files
description: 'Build distribution files'
outputs:
package-hashes:
description: "base64-encoded sha256 hashes of distribution files"
value: ${{ steps.package-hashes.outputs.package-hashes }}

runs:
using: composite
steps:
- name: Build distribution files
shell: bash
run: poetry build
- name: Hash build files for provenance
id: package-hashes
shell: bash
working-directory: ./dist
run: |
echo "package-hashes=$(sha256sum * | base64 -w0)" >> "$GITHUB_OUTPUT"
20 changes: 7 additions & 13 deletions .github/workflows/manual-publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,8 +14,7 @@ jobs:
permissions:
id-token: write
contents: read
outputs:
package-hashes: ${{ steps.build.outputs.package-hashes}}
attestations: write # Needed for artifact attestations
Comment thread
cursor[bot] marked this conversation as resolved.
steps:
- uses: actions/checkout@v4

Expand All @@ -36,18 +35,13 @@ jobs:
id: build

- name: Publish package distributions to PyPI
if: ${{ inputs.dry_run == false }}
if: ${{ format('{0}', inputs.dry_run) == 'false' }}
Comment thread
cursor[bot] marked this conversation as resolved.
uses: pypa/gh-action-pypi-publish@ed0c53931b1dc9bd32cbe73a98c7f6766f8a527e # v1.13.0
with:
password: ${{env.PYPI_AUTH_TOKEN}}

release-provenance:
needs: ["build-publish"]
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
with:
base64-subjects: "${{ needs.build-publish.outputs.package-hashes }}"
upload-assets: ${{ !inputs.dry_run }}
- name: Attest build provenance
if: ${{ format('{0}', inputs.dry_run) == 'false' }}
uses: actions/attest@v4
with:
subject-path: 'dist/*'
24 changes: 7 additions & 17 deletions .github/workflows/release-please.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,18 +11,15 @@ jobs:
id-token: write # Needed if using OIDC to get release secrets.
contents: write # Contents and pull-requests are for release-please to make releases.
pull-requests: write
outputs:
release-created: ${{ steps.release.outputs.release_created }}
upload-tag-name: ${{ steps.release.outputs.tag_name }}
package-hashes: ${{ steps.build.outputs.package-hashes}}
attestations: write # Needed for artifact attestations
steps:
- uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
id: release

- uses: actions/checkout@v4
if: ${{ steps.release.outputs.releases_created == 'true' }}
with:
fetch-depth: 0 # Full history is required for proper changelog generation
fetch-depth: 0

- uses: actions/setup-python@v5
if: ${{ steps.release.outputs.releases_created == 'true' }}
Expand Down Expand Up @@ -53,15 +50,8 @@ jobs:
with:
password: ${{env.PYPI_AUTH_TOKEN}}

release-provenance:
needs: ["release-package"]
if: ${{ needs.release-package.outputs.release-created == 'true' }}
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
with:
base64-subjects: "${{ needs.release-package.outputs.package-hashes }}"
upload-assets: true
upload-tag-name: ${{ needs.release-package.outputs.upload-tag-name }}
- name: Attest build provenance
if: ${{ steps.release.outputs.releases_created == 'true' }}
uses: actions/attest@v4
with:
subject-path: 'dist/*'
Loading