Skip to content

ci(github): add build provenance attestation#1825

Merged
trollixx merged 1 commit into
zealdocs:mainfrom
trollixx:ci-github-attestation
Apr 12, 2026
Merged

ci(github): add build provenance attestation#1825
trollixx merged 1 commit into
zealdocs:mainfrom
trollixx:ci-github-attestation

Conversation

@trollixx

@trollixx trollixx commented Apr 12, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • Chores
    • Updated release workflow to add provenance attestation for build artifacts across all platforms.
    • Expanded workflow permissions to allow attestation steps while preserving existing upload and publishing behavior.

@coderabbitai

coderabbitai Bot commented Apr 12, 2026

Copy link
Copy Markdown

Walkthrough

The release workflow was updated to grant attestations: write and id-token: write to build jobs and to add an "Attest Build Provenance" step (actions/attest@v4) into each build job, producing attestations for the artifacts uploaded during release.

Changes

Cohort / File(s) Summary
GitHub Actions — release workflow
.github/workflows/release.yaml
Expanded job-level permissions (attestations: write, id-token: write) for three build jobs and inserted an "Attest Build Provenance" step using actions/attest@v4 after build/packaging and before upload. Subject paths set per job: build/${{ matrix.config.configurePreset }}/${{ matrix.config.uploadPattern }} (Windows), Zeal-*.AppImage* (AppImage), build/${{ matrix.config.configurePreset }}/zeal-*.* (Ubuntu source). Upload and release publishing steps unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'ci(github): add build provenance attestation' accurately describes the main change - adding build provenance attestation to GitHub Actions workflow with clear, specific language.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codacy-production

codacy-production Bot commented Apr 12, 2026

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

TIP This summary will be updated as you push new changes. Give us feedback

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yaml:
- Around line 179-183: The attestation step "Attest Build Provenance" currently
sets subject-path to "Zeal-*.AppImage" and therefore omits the uploaded .zsync
sidecar; update the attestation subject to include the sidecar (e.g. change
subject-path to match "Zeal-*.AppImage*" or explicitly add
"Zeal-*.AppImage.zsync") so that the actions/attest@v4 step covers both the
.AppImage and its .zsync artifact and produces provenance for all uploaded
release artifacts.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0b3a0990-8a8e-4a66-a977-f54df6c3c2dd

📥 Commits

Reviewing files that changed from the base of the PR and between 55ee25c and 19e9429.

📒 Files selected for processing (1)
  • .github/workflows/release.yaml

Comment thread .github/workflows/release.yaml
@trollixx trollixx force-pushed the ci-github-attestation branch from 19e9429 to 69501f0 Compare April 12, 2026 15:54

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/release.yaml:
- Line 96: Replace the mutable tag "actions/attest@v4" with an immutable full
commit SHA (e.g., "actions/attest@<commit-sha>") wherever that exact token
appears (the three occurrences of uses: actions/attest@v4) so the workflow
references a pinned commit; locate the "uses: actions/attest@v4" lines and
update each to use the corresponding repository commit SHA and optionally
document the source commit in a comment.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: fa17712a-3236-4fc6-84b1-bd9ef4758a08

📥 Commits

Reviewing files that changed from the base of the PR and between 19e9429 and 69501f0.

📒 Files selected for processing (1)
  • .github/workflows/release.yaml

Comment thread .github/workflows/release.yaml
@trollixx trollixx merged commit c26f4f6 into zealdocs:main Apr 12, 2026
14 checks passed
@trollixx trollixx deleted the ci-github-attestation branch April 12, 2026 19:34
@zealdocs-ci zealdocs-ci Bot mentioned this pull request Apr 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

1 participant