Skip to content

ci: add backport automation, SLSA provenance, and benchstat gating#33

Merged
SebTardif merged 6 commits into
mainfrom
ci/wave3-release-supply-chain
May 26, 2026
Merged

ci: add backport automation, SLSA provenance, and benchstat gating#33
SebTardif merged 6 commits into
mainfrom
ci/wave3-release-supply-chain

Conversation

@SebTardif

@SebTardif SebTardif commented May 25, 2026

Copy link
Copy Markdown
Contributor

Summary

Implements Wave 3 CI improvements: backport automation, SLSA Level 3 supply-chain provenance, and benchmark regression gating.

Backport automation (#25)

  • New .github/workflows/backport.yaml using korthout/backport-action
  • Triggers when a merged PR has a backport/<branch> label
  • Cherry-picks the merge commit and opens a backport PR targeting the release branch
  • Documented in CONTRIBUTING.md

SLSA Level 3 provenance (#27)

  • Two new jobs in release.yaml using slsa-framework/slsa-github-generator reusable workflows
  • Binary provenance: generates and uploads a signed attestation for all GoReleaser artifacts
  • Container provenance: generates and attaches a signed attestation to the GHCR container image
  • Artifacts are verifiable with slsa-verifier

Benchmark regression gating (#28)

  • Benchmarks now run with -count=5 for statistical validity (was -count=1)
  • benchstat compares PR results against a cached baseline from main
  • Comparison table posted to the Actions step summary
  • Baseline updated only on pushes to main
  • Advisory mode (no failure threshold yet); tighten once baselines stabilize on GitHub-hosted runners

All actions are SHA-pinned per project convention.

Closes #25, Closes #27, Closes #28

SebTardif added 3 commits May 25, 2026 16:04
@SebTardif
ci: skip semantic PR title check for Dependabot PRs
1dd1872 
Dependabot auto-generates titles with 'Bump' (uppercase), which
violates the lowercase-subject rule. Since Dependabot titles are
auto-generated and not human-controlled, skip the check for bot PRs.

Also add commit-message prefix to dependabot.yml so future PRs use
the 'chore(deps)' conventional commits prefix.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@SebTardif
ci: add backport automation, SLSA provenance, and benchstat gating
0098efa 
- Add backport workflow with korthout/backport-action (Closes #25)
- Add SLSA Level 3 provenance for binaries and container images (Closes #27)
- Add benchstat regression comparison to benchmark job (Closes #28)

Backport: triggers on merged PRs with backport/* labels, cherry-picks
to the target release branch and opens a backport PR.

SLSA: two new jobs in the release workflow generate non-forgeable
provenance attestations via slsa-github-generator reusable workflows,
one for GoReleaser binary artifacts and one for the container image.

Benchstat: benchmarks now run with -count=5 for statistical validity,
baseline cached from main pushes, and comparison table posted to the
Actions step summary on PRs.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@SebTardif
fix: correct mkdocs-material URL typo and exclude medium.com from lin…
030b671 
…k checks

Fix squidfun -> squidfunk typo in CONTRIBUTING.md (404).
Exclude medium.com from lychee: Medium returns 403 to automated
link checkers due to bot detection, not because the link is broken.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
@SebTardif SebTardif mentioned this pull request May 25, 2026
Merged
@SebTardif SebTardif mentioned this pull request May 26, 2026
Merged
@SebTardif SebTardif merged commit 713e121 into main May 26, 2026
25 checks passed
@SebTardif SebTardif deleted the ci/wave3-release-supply-chain branch June 21, 2026 02:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ci: add benchmark regression gating with benchstat ci: add SLSA Level 3 provenance for release artifacts ci: add backport automation

1 participant

@SebTardif