From 2b72a78d26a60ced43cc50b7623b0f626ed341c5 Mon Sep 17 00:00:00 2001 From: Daniel Young <9008637+YoungDan@users.noreply.github.com> Date: Fri, 29 May 2026 13:38:46 +0200 Subject: [PATCH] ci: reference slsa-github-generator by tag, not SHA The slsa-github-generator reusable workflow downloads its builder binary from the release matching its own ref. SHA-pinning it means there is no matching release to resolve, so the binary is never fetched and the attest step dies with exit 127 (No such file or directory), leaving an empty provenance that fails the upload-assets and final jobs. Pin by the v2.1.0 tag (documented requirement); a comment records why this is an explicit exception to the SHA-pinning policy. --- .github/workflows/release.yml | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index fdb7cb3..ddfb48c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -216,10 +216,14 @@ jobs: actions: read id-token: write contents: write - # Reusable workflow pinned to slsa-github-generator v2.1.0. - # v2.1.0 migrated to actions/artifact v4; v2.0.0 fails to attach the - # provenance after the artifact-v3 backend shutdown (empty UNTRUSTED_PATH). - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0 + # SECURITY EXCEPTION to the "pin every third-party action to a full commit + # SHA" rule: the slsa-github-generator reusable workflow MUST be referenced + # by a semver tag. At runtime it downloads its builder binary from the + # release that matches its own ref; a 40-char SHA cannot be mapped to a + # release, so the download is skipped and the binary is missing (exit 127). + # The generator self-verifies the downloaded builder against the release, + # which is the project's sanctioned integrity mechanism for this pin. + uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 with: base64-subjects: ${{ needs.hashes.outputs.hashes }} upload-assets: true