feat(release): add build provenance attestations after goreleaser#138
Open
mvanhorn wants to merge 1 commit intoInfisical:mainfrom
Open
feat(release): add build provenance attestations after goreleaser#138mvanhorn wants to merge 1 commit intoInfisical:mainfrom
mvanhorn wants to merge 1 commit intoInfisical:mainfrom
Conversation
Refs Infisical#108 (item 8). Generates SLSA build provenance attestations for release archives and checksums.txt. Users can verify with: gh attestation verify agent-vault_*.tar.gz --repo Infisical/agent-vault
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
This was referenced Apr 28, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds an
actions/attest-build-provenancestep after GoReleaser so release archives ship with SLSA build provenance, verifiable withgh attestation verify(no extra tooling).Refs #108 (item 8). Per the maintainer's reply on that issue: "it'd be great if you could raise separate PRs for 8, 9, and 10."
Why this matters
Release archives currently ship signed checksums via cosign blob signing. That covers integrity but not the question "where did this binary actually come from?" — the same one the Trivy (March 2026) and tj-actions (March 2025) asset-swap incidents made expensive to answer. SLSA build provenance binds each artifact to the GitHub Actions run that produced it (workflow file, commit SHA, runner identity), and
ghships verification as a first-class subcommand. Per #108:Changes
.github/workflows/release.yml:attestations: writeto the job permissions block (alongside the existingid-token: writealready used for cosign keyless).Generate build provenance attestationsstep pinned toactions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32(v4.1.0), matching the repo's full-SHA pinning convention.dist/*.tar.gzarchives anddist/checksums.txt.README.md:### Verifying downloaded release binariessubsection under Installation with the one-linergh attestation verify agent-vault_*.tar.gz --repo Infisical/agent-vault.Testing
python3YAML parse confirms structure:permissions.attestations: writeand the new step at position 10/10 with the v4.1.0 SHA.go build ./...clean — Go module dependencies resolve.End-to-end verification can only be exercised against a real tag push (the workflow is
on: push: tags: v*). Suggest cutting an RC tag (e.g.v0.13.1-rc1) on a feature branch to verify the attestation publishes correctly before the next prod release.Order with #9 and #10
This is item 8 of #108. Item 9 (
docker_signs) is independent — happy to send next. Item 10 (install.shcosign + checksum verify) was flagged by the original reporter as best ordered after this lands so it can prefergh attestation verifywhenghis available.Fixes #108
This contribution was developed with AI assistance.