ci: switch from SLSA provenance to actions/attest with subject-path#19
Merged
Conversation
Contributor
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Since actions/attest@v4 stores attestations via GitHub's attestation API (not as release assets), repos that only use attestation don't need draft releases. Release-please can publish the release directly. Changes: - Remove draft:true from release-please-config.json - Remove create-tag job/steps (force-tag-creation handles this) - Remove publish-release job (release is published directly) - Remove publish_release input from manual workflows
force-tag-creation only operates in conjunction with draft releases. Since this repo does not use draft releases (attestation-only, no artifact uploads to the release), force-tag-creation is not needed.
kinyoklion
approved these changes
Apr 1, 2026
3 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Requirements
N/A — CI-only changes, no application code or tests affected.
Related issues
Supports the org-wide migration to immutable GitHub releases. Reference implementation:
launchdarkly/ld-relay.Describe the solution you've provided
Since this repo only uses attestation (no binary/artifact uploads to the release), draft releases are not needed —
actions/attest@v4stores attestations via GitHub's attestation API, not as release assets. This PR makes the following changes:Replace SLSA generator with
actions/attest@v4(release-please.yml,manual-publish.yml): The separaterelease-provenancejob usingslsa-framework/slsa-github-generator(which uploaded.intoto.jsonlfiles as release assets viaupload-assets: true) is removed in both workflows. Attestation is now done inline viaactions/attest@v4withsubject-path, referencing the built gem file directly (launchdarkly-server-sdk-otel-*.gem). Theattestations: writepermission is added to the build jobs.Remove base64 hash round-trip (
.github/actions/publish/action.yml): Thegem-hashoutput and "Hash gem for provenance" step are removed from the composite action. The old SLSA generator requiredbase64-subjects, which meant the composite action had tosha256sum | base64 -w0and the workflow had to decode it back. Withsubject-path,actions/attest@v4reads the file directly from disk — no hashing or encoding needed.Remove orphaned job outputs (
release-please.yml): Therelease-created,upload-tag-name, andgem-hashoutputs on therelease-packagejob were only consumed by the now-removedrelease-provenancejob. They have been cleaned up.Update provenance documentation (
PROVENANCE.md): Replaced SLSA verifier instructions withgh attestation verifyinstructions and updated sample output to reflect GitHub artifact attestations. Thex-release-please-start-versionmarker is preserved so release-please keeps the version in sync.Cosmetic: The
extra-filesarray inrelease-please-config.jsonwas reformatted from inline to multi-line.Key points for review:
launchdarkly-server-sdk-otel-*.gemmatches the gem built bygem build launchdarkly-server-sdk-otel.gemspecin the composite action (the gem is built in the workspace root, and the attest step runs in the same job).release-please.ymlgates the attest step onreleases_created(plural) — this is the correct aggregate output for manifest mode. The manual publish workflow gates onformat('{0}', inputs.dry_run) == 'false'to handle both boolean and string input types.actions/atteston a feature branch since it requires a real release context. A dry-run dispatch can confirm the guard prevents attestation from running.Updates since last revision
subject-checksums: checksums.txttosubject-path: 'launchdarkly-server-sdk-otel-*.gem', eliminating the base64 encode/decode round-trip entirely.gem-hashoutput and "Hash gem for provenance" step from.github/actions/publish/action.yml.taginput frommanual-publish.yml(was added for consistency but never referenced by any step).release-createdandupload-tag-nameoutputs fromrelease-please.yml(their sole consumer, therelease-provenancejob, was removed).skip-github-pull-request/skip-github-release) that was briefly added. This pattern is only needed for repos that upload artifacts to releases (which require draft releases). Since this repo is attestation-only, the standard single-pass release-please is correct.Describe alternatives you've considered
subject-checksumswith a checksums file generated by decoding base64-encoded hashes from the composite action.subject-pathis simpler since the gem file is already on disk in the same job.publish-releasejob to un-draft after completion. This was simplified since this repo only uses attestation (not artifact uploads), making draft releases unnecessary.Additional context
No build/publish logic was changed — only the provenance mechanism (SLSA → actions/attest with
subject-path) and release-please config formatting were modified. Theformat('{0}', inputs.dry_run)pattern stringifies the input regardless of source type, ensuring== 'false'works for bothworkflow_call(boolean) andworkflow_dispatch(string) triggers.Link to Devin session: https://app.devin.ai/sessions/7d5bda4d9dbe4ae0b950b30a50485e60
Requested by: @keelerm84