ci(github): add build provenance attestation#1825
Conversation
WalkthroughThe release workflow was updated to grant Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~8 minutes Possibly related PRs
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Up to standards ✅🟢 Issues
|
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/release.yaml:
- Around line 179-183: The attestation step "Attest Build Provenance" currently
sets subject-path to "Zeal-*.AppImage" and therefore omits the uploaded .zsync
sidecar; update the attestation subject to include the sidecar (e.g. change
subject-path to match "Zeal-*.AppImage*" or explicitly add
"Zeal-*.AppImage.zsync") so that the actions/attest@v4 step covers both the
.AppImage and its .zsync artifact and produces provenance for all uploaded
release artifacts.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 0b3a0990-8a8e-4a66-a977-f54df6c3c2dd
📒 Files selected for processing (1)
.github/workflows/release.yaml
19e9429 to
69501f0
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/workflows/release.yaml:
- Line 96: Replace the mutable tag "actions/attest@v4" with an immutable full
commit SHA (e.g., "actions/attest@<commit-sha>") wherever that exact token
appears (the three occurrences of uses: actions/attest@v4) so the workflow
references a pinned commit; locate the "uses: actions/attest@v4" lines and
update each to use the corresponding repository commit SHA and optionally
document the source commit in a comment.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: fa17712a-3236-4fc6-84b1-bd9ef4758a08
📒 Files selected for processing (1)
.github/workflows/release.yaml
Summary by CodeRabbit