ci: add attestations, release-please, and Dependabot docs#98
Merged
Conversation
Add actions/attest-build-provenance to the release workflow so container images get GitHub-native build attestations alongside existing SLSA and cosign signatures. Users can verify with: gh attestation verify oci://ghcr.io/attune-io/attune:v0.1.0 --owner attune-io Add release-please workflow with Go release type. On each push to main, release-please creates or updates a release PR with an auto-generated changelog based on Conventional Commits. Merging the release PR creates the v* tag that triggers the existing release workflow. Add pip ecosystem to dependabot.yml for docs/requirements.txt (MkDocs dependencies, monthly cadence). Document the single-module Go layout and what to update if splitting into multiple modules in CONTRIBUTING.md. Closes #69 Closes #66 Closes #70 Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>
github-actions
Bot
added
size/m
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Changes
GitHub Attestations (#69)
Add
actions/attest-build-provenance@v2to the release workflow aftercosign signing. This generates GitHub-native build attestations for the
container image, complementing existing SLSA Level 3 provenance and cosign
signatures. Users can verify without installing cosign:
No new permissions needed; the release job already has
id-token: writeand
packages: write.release-please (#66)
Add release-please workflow with Go release type configuration:
.github/workflows/release-please.yamlruns on push to mainrelease-please-config.jsonwithbump-minor-pre-majorand
bump-patch-for-minor-pre-major(appropriate for pre-v1).release-please-manifest.jsonseeded at 0.1.0On each push to main, release-please creates or updates a release PR with
an auto-generated CHANGELOG based on Conventional Commits. Merging the
release PR creates the
v*tag that triggers the existing releaseworkflow (GoReleaser + container image + Helm chart + SLSA provenance).
Dependabot docs ecosystem + Go module layout docs (#70)
pipecosystem to.github/dependabot.ymlfordocs/requirements.txt(MkDocs dependencies, monthly cadence)
documenting the single-module layout and checklist for adding new modules
Closes #69
Closes #66
Closes #70