feat(release): add SBOM-to-archive attestation linkage#141
Open
jmeridth wants to merge 1 commit into
Open
Conversation
## What Add a new `attest_sboms` matrix job that runs `actions/attest-sbom` per (archive, SBOM) pair after `release_goreleaser` produces artifacts. Expose `sbom_matrix` and `is_public` as outputs from `release_goreleaser`, upload `dist/` as a workflow artifact when SBOMs are detected, and gate `publish_release` on `attest_sboms` so the draft is published only after all SBOM attestations complete. ## Why Today the workflow generates build provenance attestations against every artifact in `dist/`, including `*.spdx.json` files as standalone subjects, but it does not link an archive to its corresponding SBOM. Consumers running `gh attestation verify --predicate-type https://spdx.dev/Document` against a downloaded archive cannot discover its SBOM via the attestation graph. Adding `actions/attest-sbom` linkage closes that gap and removes the need for per-consumer follow-on jobs that replicate the matrix dance locally. ## Notes - New job runs only when `create-attestation: true`, the repo is public, and `dist/*.spdx.json` files exist. Behavior is unchanged when SBOMs are not produced or attestation is off. - Matrix is generated from `dist/*.spdx.json` filenames, stripping `.spdx.json` to derive the archive path. Requires GoReleaser's default `${artifact}.spdx.json` naming pattern (or any pattern that maps 1:1 by the same suffix strip). - `publish_release` now waits for `attest_sboms` to succeed-or-skip, so SBOM attestation failures will block publish (mirrors the existing gate on `release_goreleaser` and `release_image`). Matrix uses `fail-fast: false` so one failed pair does not cancel the others. - `dist/` upload uses 1-day retention; consumed by the matrix job immediately, no long-term need. - `release_goreleaser` continues to do `attest-build-provenance` over `dist/*.spdx.json`; the new linkage is additive, not a replacement. Signed-off-by: jmeridth <jmeridth@gmail.com>
Collaborator
Author
|
@zkoppert this has me thinking on how to split out specific release parts for specific languages. This release yaml is smelling of a bit too much Go IMO. 😄 For now, need this to be reviewed and merged for now. 🙏 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed Changes
Add a new
attest_sbomsmatrix job that runsactions/attest-sbomper (archive, SBOM) pair afterrelease_goreleaserproduces artifacts. Exposesbom_matrixandis_publicas outputs fromrelease_goreleaser, uploaddist/as a workflow artifact when SBOMs are detected, and gatepublish_releaseonattest_sbomsso the draft publishes only after all SBOM attestations complete.Why
The workflow already generates build provenance attestations against every artifact in
dist/, including*.spdx.jsonfiles as standalone subjects, but it does not link an archive to its corresponding SBOM. Consumers runninggh attestation verify --predicate-type https://spdx.dev/Documentagainst a downloaded archive cannot discover its SBOM via the attestation graph. Addingactions/attest-sbomlinkage closes that gap and removes the need for per-consumer follow-on jobs that replicate the matrix dance locally (downstream consumers have been writing this exact pattern in their callers).Notes for reviewers
create-attestation: true, the repo is public, anddist/*.spdx.jsonfiles exist. Behavior is unchanged when SBOMs are not produced or attestation is off.dist/*.spdx.jsonfilenames, stripping.spdx.jsonto derive the archive path. Relies on GoReleaser's default${artifact}.spdx.jsonnaming pattern (or any pattern that maps 1:1 by the same suffix strip).publish_releasenow waits forattest_sbomsto succeed-or-skip — mirrors the existing gates onrelease_goreleaserandrelease_image. Matrix usesfail-fast: falseso one failed pair does not cancel the others.dist/upload uses 1-day retention; consumed by the matrix job immediately, no long-term need.release_goreleasercontinues to doattest-build-provenanceoverdist/*.spdx.json; the new SBOM linkage is additive, not a replacement.create-attestationflag. Considered adding a separateattest-sboms: booleanknob but it felt redundant given the existing flag's name.Testing
actionlint .github/workflows/release.yamlclean.test-release.yamldoes not passgoreleaser-config-path, sorelease_goreleaseris skipped in tests;attest_sbomscascades to skipped via itsif:guard — no test regression. End-to-end verification requires triggering a release in a downstream caller that exercises goreleaser + SBOMs (planned:ossf/pvtr-github-repo-scannerwill consume this once released).Readiness Checklist
Author/Contributor
docs/release.mdupdated with the new job and SBOM linkage behavior.