fix(release): replace SLSA reusable-workflow provenance with actions/attest-build-provenance#176
Merged
Merged
Conversation
…attest-build-provenance The provenance job added in #164 (slsa-framework/slsa-github-generator's generator_generic_slsa3.yml reusable workflow) failed the v0.23.0 release with a hard startup_failure -- zero jobs scheduled, not even unrelated ones like build-and-test. Root-caused via a throwaway diagnostic branch (deleted): this org has 'Write permissions for workflows' disabled repo-wide (actions/permissions/workflow reports default_workflow_permissions: read, and PUT to write returns 409 'disabled by the organization'). GitHub validates a job's requested permissions against that policy at PARSE TIME specifically for jobs that call an external reusable *workflow* (uses: owner/repo/.github/workflows/x.yml@ref) -- even a bare-minimum such job with read-only-looking permissions triggered the same startup_failure. Confirmed by elimination: removing the job let build-and-test run; a bare bones version of the same reusable-workflow call reproduced the failure in isolation; a normal composite action inside a normal job (matching npm-publish's already-working id-token: write pattern) ran successfully. Fix: actions/attest-build-provenance is a plain composite action, not a reusable workflow, so it isn't subject to that check -- same permission scopes (id-token: write, now attestations: write instead of contents), same normal-job shape npm-publish already uses successfully. Its bundle-path output is a JSON-serialized Sigstore bundle wrapping a real in-toto statement, genuinely valid under both extensions OpenSSF Scorecard's Signed-Releases probes scan release assets for (releasesAreSigned: .sigstore.json; releasesHaveProvenance: .intoto.jsonl) -- uploaded as both, not fabricated duplicates. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
provenancejob added in #164 (slsa-framework/slsa-github-generator's reusable workflow) broke the v0.23.0 release: pushing the tag produced a hardstartup_failurewith zero jobs scheduled — not even unrelated ones likebuild-and-test.Root cause
This org has "Write permissions for workflows" disabled (
actions/permissions/workflowreportsdefault_workflow_permissions: read; aPUTtowritereturns 409 "disabled by the organization"). GitHub validates a job's requested permissions against that policy at parse time, specifically for jobs that call an external reusable workflow (uses: owner/repo/.github/workflows/x.yml@ref) — even a bare-minimum such job with modest permissions triggered the same whole-runstartup_failure. A normal composite action inside a normal job isn't subject to that check — proven bynpm-publish's existingid-token: writestep, which has worked in every prior release.Diagnosed on a throwaway branch (deleted, never merged) by elimination: removing the job let
build-and-testrun; a bare-minimum reusable-workflow-call reproduced the failure in isolation; swapping to a composite action ran clean.Fix
Replace the SLSA reusable-workflow call with
actions/attest-build-provenance(a plain composite action, GitHub's own native build-provenance attestation —v4is officially a thin wrapper onactions/attest). Same permission shape asnpm-publish(id-token: write, nowattestations: writeinstead ofcontents: write).Its
bundle-pathoutput is a JSON-serialized Sigstore bundle wrapping a real in-toto statement — genuinely valid under both extensions OpenSSF Scorecard's Signed-Releases probes scan release assets for (confirmed by reading the actual probe source):releasesAreSignedwants.sigstore.json/.sig/.asc/etc.;releasesHaveProvenancewants.intoto.jsonl. Uploaded as both — same file content, not fabricated duplicates.Verification
actionlintclean.workflow_dispatchwith a deliberately-invalidrefinput (so even if jobs ran, nothing could actually publish): all six jobs correctly scheduled this time (no startup_failure) —build-and-testfailed on the poisoned ref as expected, and every downstream job (including the new provenance job) showsskipped, exactly matchingneeds:semantics with zero side effects to npm/PyPI/Docker Hub.success, generating a real attestation.🤖 Generated with Claude Code