Skip to content

ci: add build-provenance attestations and CodeQL scanning#33

Merged
millerjp merged 1 commit intomainfrom
chore/attestations-and-security
Apr 21, 2026
Merged

ci: add build-provenance attestations and CodeQL scanning#33
millerjp merged 1 commit intomainfrom
chore/attestations-and-security

Conversation

@millerjp
Copy link
Copy Markdown

@millerjp millerjp commented Apr 21, 2026

Summary

Pre-v1.0.0 security hardening — two free-on-public-repos additions:

  1. Build-provenance attestations on real releases. The goreleaser job now runs `actions/attest-build-provenance@v2` after publish. Keyless Sigstore signing via OIDC, no secrets needed. Subject-paths cover every `dist/.tar.gz`, `dist/.zip`, and `dist/checksums.txt`. Only fires on real releases; skipped on `dry_run=true`. The goreleaser job permissions block gained `id-token: write` + `attestations: write`.
  2. CodeQL workflow. `codeql.yml` runs GitHub's `security-and-quality` Go query set on push to main, every PR, and a weekly schedule (Mondays 06:17 UTC). Standard path-ignores for doc-only changes.

Why now

First release (v0.9.0 dry run imminent) should already carry attestations so downstream consumers can verify provenance from day one. CodeQL findings should surface before anything is tagged.

Validation

  • `actionlint .github/workflows/*.yml` — clean.
  • `make check` — green, coverage 100%.
  • No change to `ci.yml` or any other infrastructure.

Follow-ups after merge

Enable these via the GitHub API (one call each, not in this PR because they're settings not workflow code):

  • Secret scanning
  • Secret scanning push protection
  • Dependabot security updates (distinct from the already-live version updates)
  • Private vulnerability reporting

@millerjp
ci: add build-provenance attestations and CodeQL scanning
c85345f 
Two free-on-public-repos security additions pre-v1.0.0:

  * release.yml — new `attest-build-provenance` step on the
    goreleaser job after publish. Runs only on real releases
    (dry_run=false), subject-paths cover every dist/*.tar.gz,
    dist/*.zip, and dist/checksums.txt produced by GoReleaser.
    Needs id-token:write + attestations:write on the job,
    added to the permissions block. Keyless Sigstore signing;
    no secrets required.
  * codeql.yml — new workflow running GitHub's security-and-quality
    Go query set on push to main, every PR, and a weekly schedule
    (Mondays 06:17 UTC). Standard doc-file path-ignores so doc-only
    PRs don't trip the scan.

No code change. No runtime dependency change. make check green,
coverage 100%, actionlint clean on both workflow files.
@millerjp millerjp merged commit 7c5343b into main Apr 21, 2026
@millerjp millerjp deleted the chore/attestations-and-security branch April 21, 2026 05:58
@github-actions github-actions Bot locked and limited conversation to collaborators Apr 21, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@millerjp