Conversation
…curity features - Introduced AI-assisted changelog generation using release-plz - Implemented SLSA Level 3 attestation with sigstore/cosign - Enhanced cross-compilation capabilities with cargo-dist - Integrated security scanning using cargo-audit and SBOM generation - Optimized caching and parallel builds for improved performance - Added native ARM runners for faster builds - Updated job structure for better clarity and efficiency - Added new configuration file for release-plz with detailed settings - Improved artifact handling and signing processes - Enhanced release notes generation with comprehensive metrics and instructions
…rkflow analysis and code improvement fix: Update CI workflow to parse and comment coverage reports using XML format
* Pin 49+ action usages to commit SHAs across all workflows: - actions/checkout@08c6903 # v5.0.0 - actions-rust-lang/setup-rust-toolchain@2fcdc49 # v1.15.0 - Swatinem/rust-cache@23bce25 # v2.7.3 - cargo-bins/cargo-binstall@20aa316 # v1.15.5 - release-plz/action@acb9246 # v0.5 - codecov/codecov-action@af2ee03 # v4.5.0 - actions/github-script@60a0d83 # v7.0.1 - actions/upload-artifact@b4b15b8 # v4.4.3 - actions/download-artifact@fa0a91b # v4.1.8 - actions/cache@6849a64 # v4.1.2 - taiki-e/install-action@d981a0b # v2.44.39 - sigstore/cosign-installer@dc72c7d # v3.7.0 - actions/attest-build-provenance@1c608d1 # v1.4.5 - softprops/action-gh-release@e7a8f85 # v2.0.9 * Standardize Rust version to 1.90.0 across all workflows: - Remove "stable" floating version in release-plz.yml, release-pr.yml, release.yml - Ensure consistent toolchain for deterministic builds * Unify Rust toolchain action usage: - Replace dtolnay/rust-toolchain with actions-rust-lang/setup-rust-toolchain - Provides better caching, problem matchers, and environment optimization * Tighten security patterns: - Fix macOS version pattern from wildcard "macos-*" to specific "macos-14" - Restrict cosign certificate identity from broad repo pattern to specific workflow: "https://github.com/nutthead/samoyed/.github/workflows/release.yml@refs/heads/master" Files modified: - .github/workflows/ci.yml (49 SHA pins, toolchain standardization) - .github/workflows/release.yml (32 SHA pins, patterns tightened) - .github/workflows/release-plz.yml (5 SHA pins, Rust version fix) - .github/workflows/release-pr.yml (5 SHA pins, Rust version fix) This addresses critical security vulnerabilities identified in workflow analysis, following 2025 GitHub Actions security best practices for immutable dependencies, consistent environments, and defense against supply chain attacks. BREAKING CHANGE: All GitHub Actions now use commit SHA pinning instead of mutable semantic versions, ensuring immutable, reproducible builds and eliminating supply chain attack vectors.
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR introduces a comprehensive overhaul of the CI/CD pipeline featuring enhanced security, automation, and cross-platform support. The changes implement a modern release workflow with SLSA Level 3 attestation, comprehensive security scanning, and intelligent CI optimizations.
- Complete replacement of existing release workflows with modern automated release management using release-plz
- Enhanced CI pipeline with intelligent caching, parallel execution, and fail-fast checks
- Implementation of SLSA Level 3 attestation with sigstore/cosign for all release artifacts
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| .release-plz.toml | Configuration for automated release management with changelog generation |
| .github/workflows/release.yml | Complete rewrite of release pipeline with SLSA attestation and cross-platform builds |
| .github/workflows/release-pr.yml | New workflow for automated release PR creation |
| .github/workflows/release-plz.yml | New workflow for tag creation after release PR merge |
| .github/workflows/ci.yml | Enhanced CI pipeline with modern optimizations and security scanning |
| .github/workflows/README.md | Comprehensive documentation for the new workflow system |
| .claude/agents/rust-release-pipeline.md | Claude agent configuration for Rust release pipeline expertise |
| .claude/agents/rust-code-improver.md | Claude agent configuration for Rust code improvement |
| .claude/agents/github-actions-auditor.md | Claude agent configuration for GitHub Actions auditing |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | ||
| with: | ||
| path: artifacts | ||
| pattern: binary-* |
There was a problem hiding this comment.
The pattern parameter is used with path but without merge-multiple: true. This will create separate subdirectories for each artifact. Consider adding merge-multiple: true if you want all artifacts in the same directory, or adjust the path handling logic accordingly.
Suggested change
| pattern: binary-* | |
| pattern: binary-* | |
| merge-multiple: true |
| cosign verify-blob \ | ||
| --certificate test-artifact.tar.gz.crt \ | ||
| --signature test-artifact.tar.gz.sig \ | ||
| --certificate-identity-regexp "https://github.com/nutthead/samoyed/.github/workflows/release.yml@refs/heads/master" \ |
There was a problem hiding this comment.
The certificate identity regexp uses hardcoded 'master' branch name. Consider using a variable or dynamic reference like @${{ github.ref }} to make this more flexible for different branch names.
Suggested change
| --certificate-identity-regexp "https://github.com/nutthead/samoyed/.github/workflows/release.yml@refs/heads/master" \ | |
| --certificate-identity-regexp "https://github.com/nutthead/samoyed/.github/workflows/release.yml@${GITHUB_REF}" \ |
Comment on lines
+243
to
+244
| if: github.event_name == 'pull_request' && github.event.pull_request.head.repo.fork == false | ||
| run: npm install [email protected] [email protected] --no-save --no-package-lock |
There was a problem hiding this comment.
Installing npm packages with hardcoded versions without package-lock verification poses a potential security risk. Consider using a more secure approach like pre-installing these tools in a custom action or using a verified container image.
Comment on lines
+354
to
+360
| run: | | ||
| if [[ "${{ needs.quick-check.result }}" != "success" ]] || | ||
| [[ "${{ needs.test.result }}" != "success" ]] || | ||
| [[ "${{ needs.coverage.result }}" != "success" ]]; then | ||
| echo "❌ CI failed" | ||
| exit 1 | ||
| fi |
There was a problem hiding this comment.
The status check logic doesn't account for the 'security' job result, which is listed as a dependency in the needs array but not checked in the conditional logic. This could allow CI to pass even if security checks fail.
| runs-on: ubuntu-latest | ||
| # Only run when a release PR is merged (detected by version bump in Cargo.toml) | ||
| if: | | ||
| github.event.pusher.name != 'github-actions[bot]' && |
There was a problem hiding this comment.
The condition github.event.pusher.name != 'github-actions[bot]' may not work reliably as the pusher name could vary. Consider using github.actor != 'github-actions[bot]' or checking github.event.head_commit.author.name instead for more reliable bot detection.
Suggested change
| github.event.pusher.name != 'github-actions[bot]' && | |
| github.actor != 'github-actions[bot]' && |
…ipelines - Fix PowerShell command parsing error in Windows CI tests by converting multiline cargo test to single line - Correct Rust toolchain setup parameter from 'targets' to 'target' for proper musl target installation - Fix duplicate 'with:' clause YAML syntax error in release workflow - Ensure cross-platform compatibility for all CI matrix builds Resolves workflow failures in PR #134 and enables successful CI execution on all platforms. This commit message follows conventional commit format with: - Type: fix (addresses broken functionality) - Description: Clear summary of the main issue resolved - Body: Detailed list of specific fixes applied - Footer: Reference to the specific PR and impact
Contributor
📊 Coverage Report
View detailed reportGenerated by cargo-tarpaulin |
…dependencies - Fix invalid matrix.toolchain access in CI workflow test job - Update rust-cache action from v2.7.3 to v2.8.1 across all workflows - Update build-provenance action from v1.4.5 to v3.0.0 - Improve cargo-binstall installation with fallback to cargo install - Comment out environment requirements for release and crates-io jobs - Add retry logic and fallback for security tools installation Resolves VS Code warning about accessing undefined matrix.toolchain property. All workflow files now use consistent action versions and improved reliability.
Update all GitHub Actions to their latest stable versions with pinned commit SHAs for enhanced security and access to latest features. Actions updated: - actions-rust-lang/setup-rust-toolchain: v1.15.0 → v1.15.1 - actions/cache: v4.1.2 → v4.2.4 - actions/upload-artifact: v4.4.3 → v4.6.2 - actions/download-artifact: v4.1.8 → v5.0.0 - actions/github-script: v7.0.1 → v8 - codecov/codecov-action: v4.5.0 → v5.5.1 - MarcoIeni/release-plz-action: v0.5 → v0.5.117 - sigstore/cosign-installer: v3.7.0 → v3.10.0 - softprops/action-gh-release: v2.0.9 → v2.3.3 - taiki-e/install-action: v2.44.39 → v2.62.5 Additionally fixes cargo-binstall installation in CI by switching from shell script to official GitHub Action for better reliability
…on and verification
Contributor
📊 Coverage Report
View detailed reportGenerated by cargo-tarpaulin |
Contributor
📊 Coverage Report
View detailed reportGenerated by cargo-tarpaulin |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR introduces a complete overhaul of the CI/CD pipeline with enhanced security, automation, and cross-platform support. The
changes implement a modern release workflow with SLSA Level 3 attestation, comprehensive security scanning, and intelligent CI
optimizations.
🚀 Key Features
🔧 Infrastructure Changes
release-plz.yml) and PR management (release-pr.yml).github/workflows/README.md🛡️ Security Improvements
📦 Release Artifacts
Each release now includes:
🔄 Workflow Optimization
Test Plan
Breaking Changes
CARGO_REGISTRY_TOKENsecret for crates.io publishingMigration Guide
For maintainers:
CARGO_REGISTRY_TOKENsecret in repository settingsreleaseandcrates-io)For contributors: