Skip to content

Fix(ci): verify-recipes PEP 740 sweep counts by exit code + date v0.11.0 as 2026-07-18#200

Merged
allenfbyrd merged 1 commit into
mainfrom
fix/verify-recipes-and-release-date
Jul 18, 2026
Merged

Fix(ci): verify-recipes PEP 740 sweep counts by exit code + date v0.11.0 as 2026-07-18#200
allenfbyrd merged 1 commit into
mainfrom
fix/verify-recipes-and-release-date

Conversation

@allenfbyrd

Copy link
Copy Markdown
Collaborator

verify-recipes first-run fix + release-date correction

verify-recipes' first scheduled run (2026-07-17) failed — the PEP 740 sweep reported 0/8 wheels verified even though pypi-attestations verified all 8. Root cause: as of pypi-attestations 0.0.29 the OK: line goes to stderr, so the step's stdout-only capture (out=$(...)) was empty and the grep "^OK:" counter matched nothing. The attestations are valid — only the sentinel's counting was wrong (confirmed empirically: the verify command exits 0 and prints OK to stderr).

Fix: count by the verifier's exit code (if out=$(... 2>&1); then ok=$((ok+1)); fi) — robust to stream placement and format changes; 2>&1 keeps the OK/error line in the job log. Verified locally against the published v0.10.18 wheels (counts correctly). check_workflow_tools --strict + audit_workflow_permissions --strict + zizmor all clean.

Also — date v0.11.0 as 2026-07-18 (the actual ship date) across CHANGELOG, README recent-releases, ROADMAP, capability-matrix, threat-model, cli-gui-parity, and the v0.12 plan. Re-ran the FedRAMP drift probe fresh at the tag gate (clean — pins still match live upstream) and stamped UPSTREAM.json verified_at + the re-vendor provenance notes 2026-07-18.

Verification: full suite 4,947 passed; ruff, mypy, docs-health --strict 0 FAIL, doc-counts, parity, version-consistency, roadmap-currency, mirrors --check all green; no package code change.

…se 2026-07-18

verify-recipes' first scheduled run (2026-07-17) failed: the PEP 740
sweep reported 0/8 wheels verified even though pypi-attestations
verified all 8. Root cause: as of pypi-attestations 0.0.29 the `OK:`
line is written to stderr, so the step's stdout-only capture
(`out=$(...)`) was empty and the `grep "^OK:"` counter matched nothing.
The attestations themselves are valid — only the sentinel's counting
was wrong.

Fix: key the coverage count off the verifier's EXIT CODE (0 = verified)
via `if out=$(... 2>&1); then ok=$((ok+1)); fi`, which is robust to
output-stream placement and future format changes; `2>&1` keeps the
OK/error line in the job log. Verified locally against the published
v0.10.18 wheels (counts correctly). check_workflow_tools --strict,
audit_workflow_permissions --strict, and zizmor all clean.

Also: date the v0.11.0 release 2026-07-18 (the actual ship date) across
CHANGELOG, README recent-releases, ROADMAP, capability-matrix,
threat-model, cli-gui-parity, and the v0.12 plan; re-ran the FedRAMP
drift probe fresh at the tag gate (clean — pins still match live
upstream) and stamped UPSTREAM.json verified_at + the re-vendor
provenance notes 2026-07-18 accordingly.

No package code change; the fedramp emitter + conmon tests stay green.
@vercel

vercel Bot commented Jul 18, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
evidentia Building Building Preview Jul 18, 2026 6:45pm

Request Review

@codspeed-hq

codspeed-hq Bot commented Jul 18, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 6 untouched benchmarks


Comparing fix/verify-recipes-and-release-date (65f364b) with main (8420cb4)

Open in CodSpeed

@allenfbyrd
allenfbyrd added this pull request to the merge queue Jul 18, 2026
Merged via the queue into main with commit f5d4563 Jul 18, 2026
36 checks passed
@allenfbyrd
allenfbyrd deleted the fix/verify-recipes-and-release-date branch July 18, 2026 19:01
allenfbyrd added a commit that referenced this pull request Jul 18, 2026
…estation discovery

Second first-run defect in verify-recipes, masked until the PEP 740
counting fix (#200) let the run reach Recipe 3: the pinned cosign
v2.4.1 cannot DISCOVER the SLSA provenance attestation that
actions/attest-build-provenance stores via the OCI 1.1 referrers API —
it verifies the image signature fine (Recipe 2 passed) but returns
'no matching attestations' for Recipe 3.

Verified empirically against the published v0.10.18 image:
cosign v2.4.1 fails; cosign v2.6.3 exits 0 with a valid in-toto
envelope; gh attestation verify (any version) also succeeds — the
attestation exists and is valid, only old-cosign discovery is broken.

Fix: pin cosign-release v2.6.3 in verify-recipes.yml (with a comment
recording the why), and add a 'requires cosign >= 2.6' note + the
gh-attestation-verify alternative to docs/verification.md so consumers
on older cosign are not misled by a false negative.

Full local simulation of all 5 recipes against the published v0.10.18
artifacts: PASS (PEP 740 8/8, signature, attestation, gh attestation,
SBOM+osv). check_workflow_tools --strict / audit_workflow_permissions
--strict / zizmor / docs-health --strict all green; recipe-drift guard
tokens intact.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant