Skip to content

ci: fix attestation job never running on releases#116

Merged
27Bslash6 merged 1 commit into
mainfrom
ci/fix-attestation-workflow
May 16, 2026
Merged

ci: fix attestation job never running on releases#116
27Bslash6 merged 1 commit into
mainfrom
ci/fix-attestation-workflow

Conversation

@27Bslash6
Copy link
Copy Markdown
Contributor

@27Bslash6 27Bslash6 commented May 16, 2026
edited by coderabbitai Bot
Loading

Summary

  • Fix attest job's if: condition — was missing !failure() && !cancelled(), causing the job to always be skipped when validate-inputs was skipped (every normal push release)
  • Decouple publish from attest — attestation failure should not block PyPI publishing
  • Remove continue-on-error: true from Attest Build Provenance step so real failures surface

Root Cause

The attest job depended on validate-inputs (which only runs on manual dispatch). Without the status guard in if:, GitHub Actions skips any job whose needs contains a skipped job — regardless of whether the condition itself is true.

This is why:

  • v0.6.0: attest failed at "Set up job" (permissions issue, since fixed)
  • v0.6.1: attest was skipped entirely (this bug)
  • Weekly health check keeps failing (no attestations ever generated)

Test plan

  • Merge and verify next release creates attestations (trigger via workflow_dispatch with force_release)
  • Verify publish still works independent of attest outcome
  • Weekly attestation health check should pass after next release

Closes #107

Summary by CodeRabbit

  • Chores
    • Optimized internal release workflow configuration to enhance deployment reliability and efficiency.

Review Change Stack

@27Bslash6
ci: fix attestation job never running on releases
4abf13a 
The attest job was always skipped on normal push releases because its
`if:` lacked the `!failure() && !cancelled()` guard. When validate-inputs
(only runs for manual dispatch) was skipped, the attest job cascaded to
skipped regardless of release_created being true.

Also decouple publish from attest — attestation failure should never
block PyPI publishing. Remove continue-on-error from the core attest
step so failures surface instead of being silently swallowed.

Closes #107
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 16, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 055372c1-d790-451d-a355-cffb808cd52b

📥 Commits

Reviewing files that changed from the base of the PR and between d25252a and 4abf13a.

📒 Files selected for processing (1)
  • .github/workflows/release-please.yml
📝 Walkthrough

Walkthrough

The release workflow is restructured to improve attestation reliability and decouple publishing from attestation completion. The attest job is gated with stricter conditions and error propagation, while the publish job is decoupled to run independently.

Changes

Release Workflow Orchestration

Layer / File(s) Summary
Attestation gating and error handling
.github/workflows/release-please.yml		 The attest job is gated with !failure() && !cancelled() checks to run only when the build succeeds. The build provenance attestation step removes continue-on-error: true so failures are propagated instead of ignored.
Publishing independence from attestation
.github/workflows/release-please.yml		 The publish job's dependency list is updated to remove the attest job, allowing publishing to proceed without waiting for or requiring attestation completion.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

  • cachekit-io/cachekit-py#101: Both PRs update the same release-please.yml workflow by tightening the attest/publish job conditions with gating and dependency adjustments at the job-level logic.
  • cachekit-io/cachekit-py#102: Both PRs modify the release-please.yml CI workflow around the attest/publish jobs (gating/guards and dependencies), with overlapping changes at the workflow step level.

Poem

🐰 A workflow that's stricter, more honest, more clear,
Attestations that fail when they must, have no fear!
Publish runs free, unburdened, untied—
No waiting on guards by your side.
GitHub Actions dance, with less interdependence to hide! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main fix: correcting the attestation job condition so it runs properly on releases.
Description check ✅ Passed The description includes a comprehensive summary, root cause analysis, and test plan; meets the template requirements for a CI/CD change.
Linked Issues check ✅ Passed The changes directly address issue #107 by fixing the attestation job condition, removing error suppression, and decoupling publish from attest to restore attestation generation.
Out of Scope Changes check ✅ Passed All changes are focused on fixing the attestation workflow issue described in #107; no unrelated modifications are present.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch ci/fix-attestation-workflow

Comment @coderabbitai help to get the list of available commands and usage tips.

@27Bslash6 27Bslash6 merged commit 3c3ba52 into main May 16, 2026
32 checks passed
@27Bslash6 27Bslash6 deleted the ci/fix-attestation-workflow branch May 16, 2026 10:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Attestation verification failed for v0.6.0

1 participant

@27Bslash6