ci: implement immutable releases support with actions/attest

.github/actions/publish/action.yml

@@ -24,9 +24,12 @@ inputs:
     required: true
 
 outputs:
-  hashes:
-    description: sha256sum hashes of built artifacts
-    value: ${{ steps.hash.outputs.hashes }}
+  checksum_file:
+    description: path to the sha256 checksums file generated by goreleaser
+    value: ${{ steps.binary.outputs.checksum_file }}
+  images_and_digests:
+    description: built docker image names and digests in JSON format
+    value: ${{ steps.image.outputs.images_and_digests }}
 
 runs:
   using: composite
@@ -76,8 +79,27 @@ runs:
       with:
         name: ldcli
         path: dist/*
-    - name: Hash build artifacts for provenance
-      id: hash
+    - name: Generate binary checksum file path
+      id: binary
       shell: bash
       run: |
-        echo "hashes=$(sha256sum dist/*.tar.gz | base64 -w0)" >> "$GITHUB_OUTPUT"
+        # Extract path to checksums file generated by goreleaser from dist/artifacts.json
+        set -euo pipefail
+
+        checksum_file=$(jq -r '.[] | select (.type=="Checksum") | .path' dist/artifacts.json)
+        echo "checksum_file=$checksum_file" >> "$GITHUB_OUTPUT"
+    - name: Output image and digest
+      id: image
+      shell: bash
+      run: |
+        # Extract image names and digests from goreleaser's dist/artifacts.json
+        set -euo pipefail
+
+        echo "images_and_digests=$(jq -c '. | map(select (.type=="Docker Manifest") | .image=(.path | split(":")[0]) | .digest=(.extra | .Digest) | {image, digest})' dist/artifacts.json)" >> "$GITHUB_OUTPUT"
+    - name: Upload Release Artifacts
+      if: ${{ inputs.dry-run != 'true' }}
+      shell: bash
+      env:
+        GITHUB_TOKEN: ${{ inputs.token }}
+      run: |
+        gh release upload "${{ inputs.tag }}" ./dist/*.tar.gz ./dist/*.zip ./dist/*.txt --clobber

.github/workflows/manual-publish.yml

@@ -2,7 +2,7 @@ name: Manually Publish Images and Artifacts
 on:
   workflow_dispatch:
     inputs:
-      dry-run:
+      dry_run:
         default: true
         description: 'Skip publishing to DockerHub and Homebrew'
         required: false
@@ -13,20 +13,26 @@ on:
         required: false
         type: boolean
       tag:
-        description: 'Tag to upload binary artifacts to'
+        description: 'Tag of an existing draft release to upload binary artifacts to.'
         required: true
         type: string
+      publish_release:
+        description: 'Publish (un-draft) the release after all artifacts are uploaded?'
+        type: boolean
+        required: false
+        default: true
 
 jobs:
 
   release-ldcli:
     permissions:
-      id-token: write # Needed to obtain Docker tokens
+      id-token: write # Needed to obtain Docker tokens and to sign attestations
       contents: write # Needed to upload release artifacts
       packages: read # Needed to load goreleaser-cross image
+      attestations: write # Needed for artifact attestations
     runs-on: ubuntu-latest
     outputs:
-      hashes: ${{ steps.publish.outputs.hashes }}
+      images_and_digests: ${{ steps.publish.outputs.images_and_digests }}
     steps:
       - uses: actions/checkout@v4
         name: Checkout
@@ -44,16 +50,39 @@ jobs:
       - uses: ./.github/actions/publish
         id: publish
         with:
-          dry-run: ${{ inputs.dry-run }}
+          dry-run: ${{ inputs.dry_run }}
           token: ${{ secrets.GITHUB_TOKEN }}
-          homebrew-gh-secret: ${{secrets.HOMEBREW_DEPLOY_KEY}}
+          homebrew-gh-secret: ${{ secrets.HOMEBREW_DEPLOY_KEY }}
           tag: ${{ inputs.tag }}
           ghcr_token: "${{ secrets.GITHUB_TOKEN }}"
 
+      - name: Attest binary artifacts
+        if: ${{ !inputs.dry_run }}
+        uses: actions/attest@v4
+        with:
+          subject-checksums: ${{ steps.publish.outputs.checksum_file }}
+
+  attest-image-provenance:
+    needs: [release-ldcli]
+    if: ${{ !inputs.dry_run }}
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+    strategy:
+      matrix:
+        images_and_digests: ${{ fromJson(needs.release-ldcli.outputs.images_and_digests) }}
+    steps:
+      - name: Attest container image
+        uses: actions/attest@v4
+        with:
+          subject-name: ${{ matrix.images_and_digests.image }}
+          subject-digest: ${{ matrix.images_and_digests.digest }}
+
   release-ldcli-npm:
     runs-on: ubuntu-latest
     if: ${{ inputs.dry-run-npm == false }}
-    needs: ['release-ldcli']
+    needs: [release-ldcli]
     permissions:
       actions: read
       id-token: write
@@ -76,18 +105,23 @@ jobs:
         name: Publish NPM Package
         uses: ./.github/actions/publish-npm
         with:
-          dry-run: ${{ inputs.dry-run }}
-          prerelease: ${{ inputs.prerelease }}
+          dry-run: ${{ inputs.dry_run }}
+          prerelease: 'false'
 
-  release-ldcli-provenance:
-    needs: ['release-ldcli']
+  publish-release:
+    needs: [release-ldcli, attest-image-provenance, release-ldcli-npm]
+    # !cancelled() && !failure() lets this job run when release-ldcli-npm was
+    # skipped (dry-run-npm: true) but still blocks if any needed job failed.
+    if: ${{ !cancelled() && !failure() && !inputs.dry_run && inputs.publish_release }}
+    runs-on: ubuntu-latest
     permissions:
-        actions: read
-        id-token: write
-        contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
-    with:
-        base64-subjects: "${{ needs.release-ldcli.outputs.hashes }}"
-        upload-assets: true
-        upload-tag-name: ${{ inputs.tag }}
-        provenance-name: ${{ format('ldcli_{0}_multiple_provenance.intoto.jsonl', inputs.tag) }}
+      contents: write
+    steps:
+      - name: Publish release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_NAME: ${{ inputs.tag }}
+        run: >
+          gh release edit "$TAG_NAME"
+          --repo ${{ github.repository }}
+          --draft=false

.github/workflows/release-please.yml

@@ -1,37 +1,65 @@
 name: Run Release Please
 
 on:
-  pull_request:
   push:
     branches:
       - main
 
 jobs:
   release-please:
     runs-on: ubuntu-latest
-    if: github.event_name == 'push'
     permissions:
       contents: write
       pull-requests: write
     outputs:
       release_created: ${{ steps.release.outputs.release_created }}
       tag_name: ${{ steps.release.outputs.tag_name }}
     steps:
-      - uses: googleapis/release-please-action@5c625bfb5d1ff62eadeeb3772007f7f66fdcf071 # v4.4.1
+      # Create any releases in release, then create tags, and then optionally create any new PRs.
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
         id: release
         with:
-          token: ${{secrets.GITHUB_TOKEN}}
+          token: ${{ secrets.GITHUB_TOKEN }}
+          skip-github-pull-request: true
+
+      # Need the repository content to be able to create and push a tag.
+      - uses: actions/checkout@v4
+        if: ${{ steps.release.outputs.release_created == 'true' }}
+
+      - name: Create release tag
+        if: ${{ steps.release.outputs.release_created == 'true' }}
+        env:
+          TAG_NAME: ${{ steps.release.outputs.tag_name }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if gh api "repos/${{ github.repository }}/git/ref/tags/${TAG_NAME}" >/dev/null 2>&1; then
+            echo "Tag ${TAG_NAME} already exists, skipping creation."
+          else
+            echo "Creating tag ${TAG_NAME}."
+            git config user.name "github-actions[bot]"
+            git config user.email "github-actions[bot]@users.noreply.github.com"
+            git tag "${TAG_NAME}"
+            git push origin "${TAG_NAME}"
+          fi
+
+      - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
+        if: ${{ steps.release.outputs.release_created != 'true' }}
+        id: release-prs
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          skip-github-release: true
 
   release-ldcli:
     permissions:
-      id-token: write # Needed to obtain Docker tokens
+      id-token: write # Needed to obtain Docker tokens and to sign attestations
       contents: write # Needed to upload release artifacts
       packages: read # Needed to load goreleaser-cross image
-    needs: [ release-please ]
-    if: needs.release-please.outputs.release_created == 'true' || github.event_name == 'pull_request'
+      attestations: write # Needed for artifact attestations
+    needs: [release-please]
+    if: needs.release-please.outputs.release_created == 'true'
     runs-on: ubuntu-22.04-8core-32gb
     outputs:
-      hashes: ${{ steps.publish.outputs.hashes }}
+      images_and_digests: ${{ steps.publish.outputs.images_and_digests }}
     steps:
       - uses: actions/checkout@v4
         name: Checkout
@@ -49,16 +77,36 @@ jobs:
       - uses: ./.github/actions/publish
         id: publish
         with:
-          dry-run: ${{ github.event_name == 'pull_request' }}
-          snapshot: ${{ github.event_name == 'pull_request' }}
+          dry-run: 'false'
           token: ${{ secrets.GITHUB_TOKEN }}
-          homebrew-gh-secret: ${{secrets.HOMEBREW_DEPLOY_KEY}}
+          homebrew-gh-secret: ${{ secrets.HOMEBREW_DEPLOY_KEY }}
           tag: ${{ needs.release-please.outputs.tag_name }}
           ghcr_token: "${{ secrets.GITHUB_TOKEN }}"
 
+      - name: Attest binary artifacts
+        uses: actions/attest@v4
+        with:
+          subject-checksums: ${{ steps.publish.outputs.checksum_file }}
+
+  attest-image-provenance:
+    needs: [release-ldcli]
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+    strategy:
+      matrix:
+        images_and_digests: ${{ fromJson(needs.release-ldcli.outputs.images_and_digests) }}
+    steps:
+      - name: Attest container image
+        uses: actions/attest@v4
+        with:
+          subject-name: ${{ matrix.images_and_digests.image }}
+          subject-digest: ${{ matrix.images_and_digests.digest }}
+
   release-ldcli-npm:
     runs-on: ubuntu-latest
-    needs: ['release-please', 'release-ldcli']
+    needs: [release-please, release-ldcli]
     permissions:
       id-token: write
       contents: write
@@ -78,18 +126,21 @@ jobs:
         name: Publish NPM Package
         uses: ./.github/actions/publish-npm
         with:
-          dry-run: ${{ github.event_name == 'pull_request' }}
+          dry-run: 'false'
           prerelease: 'false'
 
-  release-ldcli-provenance:
-    needs: ['release-please', 'release-ldcli']
+  publish-release:
+    needs: [release-please, release-ldcli, attest-image-provenance, release-ldcli-npm]
+    if: needs.release-please.outputs.release_created == 'true'
+    runs-on: ubuntu-latest
     permissions:
-      actions: read
-      id-token: write
       contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
-    with:
-      base64-subjects: "${{ needs.release-ldcli.outputs.hashes }}"
-      upload-assets: true
-      upload-tag-name: ${{ needs.release-please.outputs.tag_name }}
-      provenance-name: ${{ format('ldcli_{0}_multiple_provenance.intoto.jsonl', needs.release-please.outputs.tag_name) }}
+    steps:
+      - name: Publish release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_NAME: ${{ needs.release-please.outputs.tag_name }}
+        run: >
+          gh release edit "$TAG_NAME"
+          --repo ${{ github.repository }}
+          --draft=false

.goreleaser.yaml

@@ -2,6 +2,13 @@ version: 2
 
 project_name: ldcli
 
+release:
+  # release-please owns the GitHub release lifecycle (creates the draft, and
+  # publish-release un-drafts at the end). Goreleaser only builds binaries and
+  # pushes images; the workflow's `gh release upload` step attaches artifacts
+  # to the draft. See .github/workflows/release-please.yml for the full flow.
+  disable: true
+
 env:
   - GO111MODULE=on # Ensure we aren't using anything in GOPATH when building
   - CGO_ENABLED=1 # Needed for SQLite support