Skip to content

ci(release): grant SLSA provenance permissions#17

Merged
CybotTM merged 2 commits intomainfrom
ci/slsa-provenance-permissions
Apr 30, 2026
Merged

ci(release): grant SLSA provenance permissions#17
CybotTM merged 2 commits intomainfrom
ci/slsa-provenance-permissions

Conversation

@CybotTM
Copy link
Copy Markdown
Member

@CybotTM CybotTM commented Apr 30, 2026

Summary

Grants the two permissions the upstream reusable release workflow at netresearch/skill-repo-skill needs in order to publish a SLSA build-provenance attestation for every release archive.

     permissions:
-      contents: write
-      pull-requests: write
+      contents: write          # release upload
+      id-token: write          # OIDC for sigstore (required by the attest job)
+      attestations: write      # GitHub native attestation API (required by the attest job)

Why

This is part of an org-wide rollout flipping SLSA build-provenance attestations to always on in the reusable release workflow. The first cut shipped the feature behind an opt-in input (with: attest: true); on review, opt-in was the wrong call — every release artefact in the org should have provenance, and the cost of "always on" is a tiny one-time permission grant per consumer (this PR).

Sequencing

This PR lands first. After every consumer of netresearch/skill-repo-skill/.github/workflows/release.yml@main has merged the equivalent change, the upstream will drop the opt-in input and the if: gate so the attest job always runs. No window of broken releases either way: callers that already grant the permissions are forward-compatible.

Test plan

  • CI green on this PR
  • After upstream removes the opt-in, the next release here will produce SLSA attestations verifiable via gh attestation verify <archive> --owner netresearch

@CybotTM
ci(release): grant SLSA provenance permissions
21a01e5 
Required by netresearch/skill-repo-skill/.github/workflows/release.yml,
which generates SLSA build-provenance attestations for release archives
via actions/attest-build-provenance. The reusable workflow's attest job
needs id-token: write (OIDC for sigstore) and attestations: write
(GitHub native attestation API) on the calling job.

Also drops pull-requests: write — the reusable workflow doesn't touch
the pulls API; it was over-privileging.
Copilot AI review requested due to automatic review settings April 30, 2026 07:45
@gemini-code-assist
Copy link
Copy Markdown

gemini-code-assist Bot commented Apr 30, 2026

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

Copilot AI reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

Updates the release workflow permissions so the upstream reusable release workflow can mint SLSA build provenance attestations during releases.

Changes:

  • Adds id-token: write to enable OIDC-based signing (sigstore) for the attest job
  • Adds attestations: write to allow publishing provenance via GitHub’s attestation API
  • Adjusts existing permissions for the release job

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/release.yml
@CybotTM CybotTM merged commit d5c963f into main Apr 30, 2026
6 checks passed
@CybotTM CybotTM deleted the ci/slsa-provenance-permissions branch April 30, 2026 08:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CybotTM