ci(release): add SLSA L3 + cosign release workflow, fix README badges#3
ci(release): add SLSA L3 + cosign release workflow, fix README badges#3
Conversation
|
Warning Rate limit exceeded
To continue reviewing without waiting, purchase usage credits in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
The CI and OpenSSF Scorecard badges were still pointing at github.com/kanywst/zopa, left over from before the repo was moved to the 0-draft org. The badges resolved to 404 and stayed gray on the rendered README.
Pushing a v* tag now produces a signed, attested wasm release: - build: zig build --release=small produces zopa-<tag>.wasm. We compute its SHA-256, write a checksum file, and emit the base64-encoded subject for the SLSA generator. - provenance: slsa-github-generator/generator_generic_slsa3 v2.1.0 attests the build in an isolated reusable workflow and uploads the .intoto.jsonl bundle to the release. - sign: sigstore cosign sign-blob runs keylessly via OIDC, emitting a single .sigstore.json bundle (cosign v4 default). - release: softprops/action-gh-release attaches the .wasm, .sha256, and .sigstore.json to the release with auto-generated notes from the merged PRs since the previous tag. All actions are sha-pinned except the SLSA reusable workflow, which must be tag-pinned per upstream's binary-fetch convention. No long- lived secrets are required; all credentials are minted via OIDC per run. CHANGELOG records the new pipeline under Unreleased.
kanywst
force-pushed
the
ci/release-workflow
branch
from
dd3ff84 to
61f3c6f
Compare
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
Address gemini-code-assist review: the Added entry was implementation-
detail-heavy ('triggers .github/workflows/release.yml ... slsa-github-
generator ... cosign keyless ...') rather than describing a user-facing
outcome. Rewrite as 'automated releases on v* tags with SLSA v1.0
provenance and cosign signatures' plus the artifact list.
Also add a Fixed section recording the README badge URL repair, which
the previous CHANGELOG didn't capture even though the same PR ships
the fix. Keep a Changelog calls for distinct Added / Fixed buckets.
See #3 (comment)...
1 participant
Summary
.github/workflows/release.yml. Pushing av*tag now produces a signed, attested wasm release artifact with SLSA v1.0 build provenance, a SHA-256 checksum, and a Sigstore cosign keyless signature.github.com/kanywst/zopafrom before the repo moved to the0-draftorg. They were silently 404-ing on the rendered README.Pipeline shape
```
v* tag
│
├─ build → zopa-.wasm + .sha256
├─ provenance → slsa-github-generator (reusable, isolated builder)
│ attaches zopa-.wasm.intoto.jsonl
├─ sign → cosign sign-blob (keyless, OIDC)
│ attaches zopa-.wasm.sigstore.json
└─ release → softprops/action-gh-release attaches .wasm + .sha256
and writes auto-generated release notes
```
After a release, consumers can verify with:
```bash
checksum
shasum -a 256 -c zopa-vX.Y.Z.wasm.sha256
cosign verify (keyless, identity = this workflow)
cosign verify-blob
--bundle zopa-vX.Y.Z.wasm.sigstore.json
--certificate-identity-regexp "^https://github.com/0-draft/zopa/.github/workflows/release.yml@"
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
zopa-vX.Y.Z.wasm
slsa-verifier
slsa-verifier verify-artifact
--provenance-path zopa-vX.Y.Z.wasm.intoto.jsonl
--source-uri github.com/0-draft/zopa
--source-tag vX.Y.Z
zopa-vX.Y.Z.wasm
```
Notes / decisions
slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0, which must be tag-pinned per upstream's binary-fetch convention. The same exception is taken in 0-draft/sigil; thecheck-pins.sh/pin-actions.shhelpers there skip this path. The reasoning is left as an inline comment in the workflow.--release=smallmatches what CI already builds, so the artifact size stays at the documented ~50 KB.zopa-<tag>.wasmrather than barezopa.wasmso the file name carries the version when downloaded outside the Release page.harden-runneregress audit,persist-credentials: false, and the cosign v4 single-bundle output (--bundle) instead of the deprecated--output-signature/--output-certificatepair.Test plan