Skip to content

fix(release): sign and attest GitHub release assets directly#201

Merged
sunib merged 3 commits into
mainfrom
fix/sign-release-assets-scorecard
Jul 6, 2026
Merged

fix(release): sign and attest GitHub release assets directly#201
sunib merged 3 commits into
mainfrom
fix/sign-release-assets-scorecard

Conversation

@sunib

@sunib sunib commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Summary

  • OpenSSF Scorecard's Signed-Releases check only inspects GitHub release assets (looking for *.sigstore.json / *.intoto.jsonl siblings), never OCI registry signatures — so it flagged every release as unsigned even though the image and Helm chart are already cosign-signed and SLSA-attested in ghcr.io.
  • Sign sbom.spdx.json and install.yaml directly with cosign sign-blob --bundle, and attest SLSA build provenance for each via actions/attest-build-provenance, uploading the resulting <asset>.sigstore.json and <asset>.intoto.jsonl files as additional release assets.
  • Updates docs/ci-overview.md's release-artifacts table and adds a cosign verify-blob example for verifying a release asset.

Test plan

  • task lint-actions (actionlint) passes on the modified release.yml
  • Manually confirmed cosign sign-blob --bundle / cosign verify-blob --bundle flag syntax against the pinned cosign version
  • Watch the next main push / release for the new steps to run successfully in publish-manifest and publish-helm
  • Re-run OpenSSF Scorecard after the next release and confirm Signed-Releases no longer warns

🤖 Generated with Claude Code

OpenSSF Scorecard's Signed-Releases check only inspects GitHub release
assets (matching *.sigstore.json / *.intoto.jsonl suffixes), not OCI
registry signatures. The image and chart were already cosign-signed and
SLSA-attested in ghcr.io, but Scorecard still flagged every release as
unsigned/no-provenance because install.yaml and sbom.spdx.json carried
neither. Sign each asset with cosign sign-blob and attest SLSA build
provenance directly, uploading both alongside the original asset.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@sunib, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 16 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 647081df-b592-4b55-a197-0972030c3f75

📥 Commits

Reviewing files that changed from the base of the PR and between 1c62f34 and 85dbec0.

📒 Files selected for processing (4)
  • .devcontainer/Dockerfile
  • .github/workflows/ci.yml
  • .github/workflows/release.yml
  • docs/ci-overview.md
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/sign-release-assets-scorecard

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

sunib and others added 2 commits July 6, 2026 10:22
publish-helm already runs inside the ci-image container and was
installing cosign at runtime via sigstore/cosign-installer just to
sign the chart and (per the prior commit) install.yaml. Bake cosign
into the ci stage of .devcontainer/Dockerfile instead — same
checksum-verified pattern as the other CLI tools there — so that job
drops its installer step, and cosign verify/verify-blob become
available locally without a separate install.

publish-manifest keeps its own cosign-installer: it runs on a bare
ubuntu-latest runner, not the ci-image.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
sigstore/cosign-installer defaults to cosign v3.0.6 when cosign-release
isn't set, which silently diverged from the v3.1.1 baked into the
ci-image that publish-helm signs with. Pin it explicitly so both
signing jobs in the same release run the same cosign binary.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
@sunib sunib merged commit 10f8962 into main Jul 6, 2026
16 checks passed
@sunib sunib deleted the fix/sign-release-assets-scorecard branch July 6, 2026 10:33
@codecov

codecov Bot commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant