ci: harden pipeline for secure, validated releases#15
Merged
Conversation
Gate merges and publishes on validation, and secure published artifacts with signing, SBOMs, and attestations. Key changes: - Add CI workflow (typecheck, lint, unit tests) as a PR gate and a reusable workflow_call target - Gate the publish path on the CI checks and the kind E2E run so broken images can never reach ghcr.io - Sign container images (cosign keyless/OIDC), generate an SPDX SBOM, and publish build-provenance and SBOM attestations - Add a non-blocking Trivy filesystem scan that uploads SARIF - Pin the datum-cloud/actions reusable workflow calls to a commit SHA Claude-Session: https://claude.ai/code/session_01NMSkwUcaTmZr7S5XmV2aFG
|
You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool. What Enabling Code Scanning Means:
For more information about GitHub Code Scanning, check out the documentation. |
The new lint gate surfaces a pre-existing @backstage/no-undeclared-imports error: packages/app imports @backstage/theme (UnifiedThemeProvider) without declaring it. Add it as a direct dependency so lint passes. Claude-Session: https://claude.ai/code/session_01NMSkwUcaTmZr7S5XmV2aFG
ecv
approved these changes
Jul 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
Today a change can reach
main— and an image can be published tooci://ghcr.io/datum-cloud/backstage-kustomizeandghcr.io/datum-cloud/backstage— without ever running our typecheck, lint, or unit tests, and the published artifacts carry no signatures, SBOMs, or provenance. This PR makes releases validated before merge, gated before publish, and verifiable after publish. It is a draft for discussion.What changes
1. Merge gate: no PR merges without lint + typecheck + test + E2E green
CIworkflow runs on every pull request: typecheck (yarn tsc:full), lint (yarn lint:all), and unit tests (yarn test:all,CI=true) as three parallel jobs..github/actions/setup-node-yarn) so CI and the publish gate share one source of truth.E2Eworkflow (kind + CloudNativePG + smoke tests) continues to run on PRs. Together withCIthese are the checks that should be marked required in branch protection.2. Publish gate: broken images can't ship
Publish Docker Imagenow depends on theCIchecks and a full E2E run before it builds and pushes anything. Wired withneeds:against the CI and E2E workflows (both are now reusable viaworkflow_call).push: maintrigger is removed because publish now invokes it onmain/tags/releases, avoiding a duplicate kind run per push while keeping the same coverage.datum-cloud/actionsare untouched in behavior — only fronted by the gate.3. Supply chain: sign, SBOM, attest
The reusable
datum-cloud/actions@v1.16.0publish-docker.yamlbuilds and pushes but does not sign, generate an SBOM, or attest (theattestations: writepermission was granted but unused). A newsign-and-attestjob fills the gap after the image is pushed:4. Vulnerability scanning
main, and weekly. It is non-blocking (exit-code: 0) and uploads SARIF to the Security tab, matching how we're introducing a new scanner without gating merges on pre-existing findings. Recommend flipping it to blocking once the backlog is triaged.highvia the reusable default) — left as-is.datum-cloud/actionsreusable workflow calls (publish,snyk) to a commit SHA instead of the mutablev1.16.0tag. Directly-referenced third-party actions in this repo were already SHA-pinned; new ones added here are pinned too.Blocking vs. non-blocking
needs:)needs:)Preconditions for reviewers
CI(typecheck, lint, test) andE2Eas required status checks onmain— theneeds:gate covers the publish path, branch protection covers the merge path.id-token/attestations/packagespermissions (already declared) — no new secrets.SNYK_TOKENremains a precondition for the existing Snyk scan.snyk/actions/setup@masterfloating ref lives insidedatum-cloud/actionsand can't be pinned from this repo — worth a follow-up there.Related
Cross-links datum-cloud/infra#2967 to operationalize the service catalog once the pipeline is hardened.