Skip to content

feat(release): attach npm tarballs + SLSA provenance to GitHub releases#164

Merged
debugmcpdev merged 2 commits into
mainfrom
fix/scorecard-provenance
Jul 9, 2026
Merged

feat(release): attach npm tarballs + SLSA provenance to GitHub releases#164
debugmcpdev merged 2 commits into
mainfrom
fix/scorecard-provenance

Conversation

@debugmcpdev

Copy link
Copy Markdown
Collaborator

Summary

OpenSSF Scorecard Signed-Releases is currently -1 (inconclusive) because releases carry no assets. From the next release:

  1. npm-publish packs the five workspace tarballs, computes their sha256 subjects, and uploads them as a workflow artifact.
  2. A new provenance job calls the SLSA generic generator reusable workflow (slsa-github-generator@v2.1.0 — tag-referenced as SLSA requires; Scorecard exempts this from hash-pinning) to produce sigstore-signed multiple.intoto.jsonl provenance for those tarballs.
  3. create-release downloads both and attaches them as release assets.

Verification for consumers:

slsa-verifier verify-artifact <tarball> --provenance-path multiple.intoto.jsonl --source-uri github.com/debugmcp/mcp-debugger

Provenance-carrying releases score 10/10 on Signed-Releases; asset-less historical releases are skipped by the check, so history doesn't drag the score.

Also refreshes the SECURITY.md supported-versions table (0.20.x → 0.22.x).

Notes

  • Generator inputs (base64-subjects, provenance-name, upload-assets) verified against the v2.1.0 workflow definition; upload-assets: false because create-release attaches the file itself (the release doesn't exist yet when the generator runs).
  • create-release now also needs: provenance.
  • Suggested dry-run before the next real release: push a v0.22.1-alpha.N tag (prerelease path) or use workflow_dispatch with a test ref, and confirm the release gets *.tgz + multiple.intoto.jsonl assets.

🤖 Generated with Claude Code

…es; refresh SECURITY.md versions

OpenSSF Scorecard Signed-Releases (currently -1: releases carry no
assets). From the next release on:

- npm-publish packs the five workspace tarballs, computes sha256
  subjects, and uploads them as a workflow artifact.
- A new 'provenance' job calls the SLSA generic generator reusable
  workflow (slsa-github-generator@v2.1.0, tag-referenced as SLSA
  requires) to produce signed multiple.intoto.jsonl provenance for
  those tarballs via sigstore.
- create-release downloads both and attaches them as release assets,
  so the release ships verifiable artifacts:
    slsa-verifier verify-artifact <tarball>       --provenance-path multiple.intoto.jsonl       --source-uri github.com/debugmcp/mcp-debugger

Provenance-carrying releases score 10/10 on Signed-Releases (releases
without assets are skipped by the check, so history does not drag).

Also refreshes the SECURITY.md supported-versions table (0.20.x ->
0.22.x, current release line).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@codecov

codecov Bot commented Jul 9, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@debugmcpdev debugmcpdev merged commit d89d9cd into main Jul 9, 2026
10 checks passed
debugmcpdev added a commit that referenced this pull request Jul 9, 2026
Project registered and passing at bestpractices.dev/projects/13543
(part of the OpenSSF Scorecard improvement effort). SECURITY.md's
supported-versions table was already refreshed to 0.22.x in #164.

Co-authored-by: JF <john.franklin@gmail.com>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
debugmcpdev added a commit that referenced this pull request Jul 9, 2026
…attest-build-provenance (#176)

The provenance job added in #164 (slsa-framework/slsa-github-generator's
generator_generic_slsa3.yml reusable workflow) failed the v0.23.0 release
with a hard startup_failure -- zero jobs scheduled, not even unrelated
ones like build-and-test.

Root-caused via a throwaway diagnostic branch (deleted): this org has
'Write permissions for workflows' disabled repo-wide
(actions/permissions/workflow reports default_workflow_permissions:
read, and PUT to write returns 409 'disabled by the organization').
GitHub validates a job's requested permissions against that policy at
PARSE TIME specifically for jobs that call an external reusable
*workflow* (uses: owner/repo/.github/workflows/x.yml@ref) -- even a
bare-minimum such job with read-only-looking permissions triggered the
same startup_failure. Confirmed by elimination: removing the job let
build-and-test run; a bare bones version of the same reusable-workflow
call reproduced the failure in isolation; a normal composite action
inside a normal job (matching npm-publish's already-working
id-token: write pattern) ran successfully.

Fix: actions/attest-build-provenance is a plain composite action, not a
reusable workflow, so it isn't subject to that check -- same permission
scopes (id-token: write, now attestations: write instead of contents),
same normal-job shape npm-publish already uses successfully. Its
bundle-path output is a JSON-serialized Sigstore bundle wrapping a real
in-toto statement, genuinely valid under both extensions OpenSSF
Scorecard's Signed-Releases probes scan release assets for
(releasesAreSigned: .sigstore.json; releasesHaveProvenance:
.intoto.jsonl) -- uploaded as both, not fabricated duplicates.

Co-authored-by: JF <john.franklin@gmail.com>
Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants