Skip to content

feat(ci): binary attestation with SLSA Build Provenance v1#194

Merged
lockwobr merged 11 commits intomainfrom
worktree-bundle-attestation
Feb 24, 2026
Merged

feat(ci): binary attestation with SLSA Build Provenance v1#194
lockwobr merged 11 commits intomainfrom
worktree-bundle-attestation

Conversation

@lockwobr
Copy link
Contributor

@lockwobr lockwobr commented Feb 23, 2026

Summary

  • Attest CLI binaries with cosign keyless OIDC signing via GoReleaser build hook
  • Distribute releases as tar.gz archives containing binary + attestation (.sigstore.json)
  • Add on-demand Build Attested Binaries workflow for testing without release tags
  • Update install script: tar.gz extraction, checksum verification, optional cosign attestation verification
  • Extract SLSA predicate generation into reusable composite action

Motivation / Context

Fixes:
Related:

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Refactoring (no functional changes)
  • Build/CI/tooling

Component(s) Affected

  • CLI (cmd/aicr, pkg/cli)
  • API server (cmd/aicrd, pkg/api, pkg/server)
  • Recipe engine / data (pkg/recipe)
  • Bundlers (pkg/bundler, pkg/component/*)
  • Collectors / snapshotter (pkg/collector, pkg/snapshotter)
  • Validator (pkg/validator)
  • Core libraries (pkg/errors, pkg/k8s)
  • Docs/examples (docs/, examples/)
  • Other: CI/Installer

Implementation Notes

Testing

# Commands run (prefer `make qualify` for non-trivial changes)
make qualify
  • GoReleaser dry-run locally (hook skips, tar.gz created)
  • build-attested.yaml workflow produces attested archives (verified from CI artifacts)
  • Archive contents: {aicr, aicr-attestation.sigstore.json}
  • Attestation is real Sigstore bundle with Rekor inclusion proof
  • Tagged release produces attested tar.gz on GitHub Releases

Risk Assessment

  • Low — Isolated change, well-tested, easy to revert
  • Medium — Touches multiple components or has broader impact
  • High — Breaking change, affects critical paths, or complex rollout

Rollout notes:

Checklist

  • Tests pass locally (make test with -race)
  • Linter passes (make lint)
  • I did not skip/disable tests to make CI green
  • I added/updated tests for new functionality
  • I updated docs if user-facing behavior changed
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S) — GPG signing info

@lockwobr lockwobr self-assigned this Feb 23, 2026
@lockwobr lockwobr requested review from a team as code owners February 23, 2026 23:04
@github-actions

This comment was marked as resolved.

Sign in to view
mchmarny

This comment was marked as resolved.

Sign in to view

mchmarny
mchmarny approved these changes Feb 24, 2026
View reviewed changes
Copy link
Member

@mchmarny mchmarny left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@lockwobr lockwobr enabled auto-merge (squash) February 24, 2026 02:20
@lockwobr lockwobr merged commit 1e3474d into main Feb 24, 2026
15 checks passed
@lockwobr lockwobr deleted the worktree-bundle-attestation branch February 24, 2026 03:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mchmarny mchmarny mchmarny approved these changes

Assignees

@lockwobr lockwobr

Labels

area/ci area/docs size/L

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lockwobr @mchmarny