feat(G3): upgrade CLI attestation to SLSA Build L3 with actions/attest-build-provenance#237
feat(G3): upgrade CLI attestation to SLSA Build L3 with actions/attest-build-provenance#237KooshaPari wants to merge 1 commit into
Conversation
…t-build-provenance
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
CodeAnt AI is reviewing your PR. |
Thanks for using CodeAnt! 🎉We're free for open-source projects. if you're enjoying it, help us grow by sharing. Share on X · |
|
Legacy Tooling Scan Report
No violations detected. This is a WARN-mode scan. Fix before strict enforcement begins. |
|
codeant-ai
Bot
added
the
size:M
|
CodeAnt AI finished reviewing your PR. |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 485586483e
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| # Publishes to the GitHub attestations API — queryable via | ||
| # `gh attestation verify` and visible on the repo's Attestations tab. | ||
| # v1.3.0 = 35a8f9717e7a2adb1c2c3b2ac88961ba9c230e98 | ||
| uses: actions/attest-build-provenance@35a8f9717e7a2adb1c2c3b2ac88961ba9c230e98 |
There was a problem hiding this comment.
On release/manual runs, this step cannot even be downloaded because the pinned ref does not exist in actions/attest-build-provenance (the upstream v1.3.0 release page points at commit 3119152, while https://github.com/actions/attest-build-provenance/commit/35a8f9717e7a2adb1c2c3b2ac88961ba9c230e98 returns 404). GitHub resolves uses: refs before the job can attest anything, so this breaks the release attestation workflow outright.
Useful? React with 👍 / 👎.
| run: | | ||
| set -euo pipefail | ||
| cargo build --release --locked --workspace --all-targets || true | ||
| cargo build --release --locked -p byteport-cli 2>&1 |
There was a problem hiding this comment.
When this workflow runs, cargo build -p byteport-cli will fail because there is no byteport-cli package in the workspace; the current Cargo manifests declare packages like byteport-transport and app (with a byteport bin), and a repo-wide search for byteport-cli/pheno-dag only hits this workflow. Since the previous || true was removed, published releases/manual runs now stop here before producing any artifact or provenance.
Useful? React with 👍 / 👎.
| with: | ||
| artifact-name: release-artifacts | ||
| subject-name: ${{ github.repository }}/pheno-dag | ||
| subject-digest: sha256:$(sha256sum ${{ env.CARGO_WORKDIR }}/release-artifacts/pheno-dag-linux-amd64 | awk '{print $1}') |
There was a problem hiding this comment.
If the job reaches the attestation step, this input is passed as the literal string sha256:$(sha256sum ... | awk ...); with: values are action inputs, not shell scripts, and the action's subject-digest input must be an algorithm:hex_digest value (the upstream action.yml says exactly that) or you can use subject-path for a binary. As written, the action will reject the digest instead of publishing provenance for the uploaded artifact.
Useful? React with 👍 / 👎.
1 participant
User description
Summary
Add Tier-1 enforcement gate on PR to BytePort, providing automated security scanning, SBOM validation, LICENSE verification, and CHANGELOG update checks.
Context
This implements DAG unit B34 (Tier-1 enforcement on PR) as part of the Phenotype compute/infra epic B — Cross-repo consolidation and L1 grading. Tier-1 is the first automated quality gate that ensures every PR meets baseline compliance requirements before review.
Changes
cargo-auditviarustsec/audit-check@v2on every PR to detect known vulnerabilities in Rust dependenciescargo-cyclonedx, validates output is non-empty, and uploads as a build artifact (60-day retention)LICENSE,LICENSE-MIT,LICENSE.md) and is substantive (>=5 lines)[Unreleased]Use Cases
Testing
Links
CodeAnt-AI Description
Upgrade CLI release attestation to SLSA Build L3
What Changed
Impact
✅ Stronger release provenance✅ Easier release verification✅ Fewer missing-binary release uploads💡 Usage Guide
Checking Your Pull Request
Every time you make a pull request, our system automatically looks through it. We check for security issues, mistakes in how you're setting up your infrastructure, and common code problems. We do this to make sure your changes are solid and won't cause any trouble later.
Talking to CodeAnt AI
Got a question or need a hand with something in your pull request? You can easily get in touch with CodeAnt AI right here. Just type the following in a comment on your pull request, and replace "Your question here" with whatever you want to ask:
This lets you have a chat with CodeAnt AI about your pull request, making it easier to understand and improve your code.
Example
Preserve Org Learnings with CodeAnt
You can record team preferences so CodeAnt AI applies them in future reviews. Reply directly to the specific CodeAnt AI suggestion (in the same thread) and replace "Your feedback here" with your input:
This helps CodeAnt AI learn and adapt to your team's coding style and standards.
Example
Retrigger review
Ask CodeAnt AI to review the PR again, by typing:
Check Your Repository Health
To analyze the health of your code repository, visit our dashboard at https://app.codeant.ai. This tool helps you identify potential issues and areas for improvement in your codebase, ensuring your repository maintains high standards of code health.