Skip to content

Add JFrog RLM evidence collection GitHub Actions workflow #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jmatias wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Add JFrog RLM evidence collection GitHub Actions workflow #7

jmatias wants to merge 1 commit into from

Conversation

@jmatias
Copy link
Member

@jmatias jmatias commented Dec 21, 2025

Motivation

  • Provide a concrete GitHub Actions example that demonstrates JFrog Release Lifecycle Management (RLM) with evidence collection and signed attestations.
  • Show how to automate early signing of release candidates to reduce risk of tampering or accidental changes.
  • Demonstrate managing binaries in SDLC-aligned repositories (RC vs production) and creating Release Bundles for promotion.
  • Illustrate pre-deployment integrity verification of a release using JFrog Evidence Collection (EVC) and promotion only after verification.

Description

  • Add a new workflow file at .github/workflows/jfrog-rlm-evidence.yml that runs on push to main and via workflow_dispatch and configures id-token OIDC permissions.
  • Implement build steps: make build, upload artifacts to an RC repo using jf rt upload, and collect build metadata with jf rt build-collect-env and jf rt build-add-git.
  • Generate an SBOM using anchore/sbom-action@v0, install cosign via sigstore/cosign-installer@v3, and create a keyless signed attestation using cosign attest.
  • Attach signed evidence to the build with jf evc add, publish build info with jf rt build-publish, create a Release Bundle with jf rbc, verify evidence with jf evc verify, and promote the bundle to the production repo with jf rbd.

Testing

  • No automated tests were executed for this change because it is a workflow-only addition; the workflow can be validated by triggering workflow_dispatch or pushing to main to observe runtime behavior.

Codex Task

Copilot AI review requested due to automatic review settings December 21, 2025 19:09
@jmatias jmatias added codex and removed codex labels Dec 21, 2025
Copilot AI reviewed Dec 21, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a comprehensive GitHub Actions workflow for demonstrating JFrog Release Lifecycle Management (RLM) with evidence collection and signed attestations. The workflow automates the process of building, signing, verifying, and promoting release candidates through SDLC-aligned repositories.

Key changes:

  • Implements a two-job workflow with OIDC authentication for JFrog CLI
  • Automates build artifact upload to RC repo, SBOM generation, and keyless attestation signing
  • Establishes evidence verification gates before promoting release bundles to production

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

.github/workflows/jfrog-rlm-evidence.yml
--predicate sbom.spdx.json \
--type spdx \
--yes \
"${RC_REPO}/podinfo/${GITHUB_SHA}/"
Copy link

Copilot AI Dec 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The cosign attest command is attempting to attest a repository path rather than a specific artifact. The subject should be a concrete artifact (like a file digest or specific binary path) rather than a directory path. This will likely fail or produce an invalid attestation since cosign expects a specific artifact reference or digest to attest.

Suggested change
"${RC_REPO}/podinfo/${GITHUB_SHA}/"
"sbom.spdx.json"

Copilot uses AI. Check for mistakes.
.github/workflows/jfrog-rlm-evidence.yml
Comment on lines +118 to +120
jf rbd "${RELEASE_BUNDLE_NAME}" "${BUILD_NUMBER}" \
--project "${JF_PROJECT}" \
--repo "${RELEASE_REPO}"
Copy link

Copilot AI Dec 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The 'rbd' command is missing required parameters for a complete Release Bundle distribution. According to JFrog CLI documentation, 'jf rbd' typically requires additional parameters such as '--signing-key' or '--target' to specify the distribution target. The current command only specifies the bundle name, version, project, and repo, which is insufficient for actual distribution.

Copilot uses AI. Check for mistakes.
.github/workflows/jfrog-rlm-evidence.yml
Comment on lines +63 to +64
env:
COSIGN_EXPERIMENTAL: "1"
Copy link

Copilot AI Dec 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The COSIGN_EXPERIMENTAL environment variable is deprecated. As of cosign v2.0+, keyless signing is the default behavior and this environment variable is no longer needed. Using deprecated features may cause issues with newer versions of cosign or lead to unexpected behavior.

Suggested change
env:
COSIGN_EXPERIMENTAL: "1"

Copilot uses AI. Check for mistakes.
.github/workflows/jfrog-rlm-evidence.yml

jobs:
build_and_attest:
name: Build + attest RC
Copy link

Copilot AI Dec 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The job name contains a space followed by a plus sign which may cause confusion. Consider using a more conventional format like 'Build and Attest RC' or 'Build & Attest RC' for better readability and consistency with standard naming conventions.

Suggested change
name: Build + attest RC
name: Build and attest RC

Copilot uses AI. Check for mistakes.
.github/workflows/jfrog-rlm-evidence.yml
--project "${JF_PROJECT}"

verify_and_promote:
name: Verify + promote to production
Copy link

Copilot AI Dec 21, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The job name contains a space followed by a plus sign which may cause confusion. Consider using a more conventional format like 'Verify and Promote to Production' or 'Verify & Promote to Production' for better readability and consistency with standard naming conventions.

Suggested change
name: Verify + promote to production
name: Verify and promote to production

Copilot uses AI. Check for mistakes.
@jmatias jmatias force-pushed the main branch 3 times, most recently from 3d62ac1 to 13bcb3b Compare December 26, 2025 01:14
@jmatias jmatias force-pushed the ide/create-github-workflow-for-jfrog-integration branch from 6baa9e3 to 8adc4c9 Compare December 26, 2025 04:59
@jmatias jmatias force-pushed the main branch 2 times, most recently from 7785948 to 6d3b4f7 Compare December 26, 2025 15:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

codex

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jmatias