ci: switch from SLSA provenance to actions/attest with subject-path (#19)

keelerm84 · web-flow · commit 59e7fd1a617d · 2026-04-01T09:58:38.000-07:00
**Requirements** - [x] I have added test coverage for new or changed functionality - [x] I have followed the repository's [pull request submission guidelines](../blob/main/CONTRIBUTING.md#submitting-pull-requests) - [x] I have validated my changes against all supported platform versions N/A — CI-only changes, no application code or tests modified. **Related issues** Supports the org-wide migration to immutable GitHub releases. Once a release is published, it can no longer be modified, which breaks workflows that upload artifacts after release-please publishes the release. **Describe the solution you've provided** Since this repo only uses attestation (no binary/artifact uploads to the release), draft releases are **not** needed — `actions/attest@v4` stores attestations via GitHub's attestation API rather than as release assets. This PR makes the following changes: 1. **Replace SLSA with `actions/attest@v4` using `subject-path`** (both workflows): Removed the separate `release-provenance` job that used `slsa-framework/slsa-github-generator` (which uploaded `.intoto.jsonl` files as release assets via `upload-assets: true`) and replaced it with inline `actions/attest@v4` steps within the build job. Attestation uses `subject-path: 'launchdarkly-openfeature-server-sdk-*.gem'` to reference the built gem file directly on disk — no hash computation, base64 encoding, or checksums file needed. Added `attestations: write` permission. Removed `gem-hash` job output entirely. 2. **Removed hash plumbing from composite action** (`.github/actions/publish/action.yml`): Removed the `gem-hash` output and "Hash gem for provenance" step. These existed to produce base64-encoded checksums for the old SLSA generator and are no longer needed since `subject-path` lets `actions/attest@v4` read files directly from disk. 3. **Cleaned up orphaned declarations**: Removed the unused `tag` input from `manual-publish.yml` (was declared but never referenced by any step, with a stale "draft release" description). Removed orphaned `release-created` and `upload-tag-name` job outputs from `release-please.yml` — their sole consumer was the removed `release-provenance` job. 4. **`release-please-config.json`**: Reformatted `extra-files` array to multi-line — no functional changes. ### Why no draft releases? The old SLSA generator uploaded provenance files as release assets via `upload-assets: true`, which would fail under immutable releases. The new `actions/attest@v4` stores attestations in GitHub's attestation API instead — it does **not** modify the GitHub release. Since this repo has no other artifact uploads, release-please can publish directly without a draft→un-draft flow. Repos that upload actual binaries (e.g. ld-relay, cpp-sdks) still use draft releases. ### Updates since last revision - Removed unused `tag` input from `manual-publish.yml` and orphaned `release-created` / `upload-tag-name` outputs from `release-please.yml`. These were dead declarations left behind when the `release-provenance` job and draft-release machinery were removed. (Addresses Cursor Bugbot findings.) **Describe alternatives you've considered** - **Draft release pattern**: An earlier revision used draft releases with a `publish-release` job to un-draft after completion. This was simplified after determining that attestation-only repos don't need draft releases since `actions/attest@v4` doesn't modify the release. - **`subject-checksums`**: An intermediate revision decoded base64 hashes into a checksums file for `actions/attest`. This worked but was unnecessarily complex — the gem file is already on disk in the same job, so `subject-path` references it directly. **Additional context** Key review points: - [x] ~~**`tag` input is declared but unused**~~: Now resolved — the `tag` input was removed entirely. - [x] ~~**No `dry_run` guard on attestation in `manual-publish.yml`**~~: Now resolved — the attest step is gated on `!inputs.dry_run`. - [ ] **Glob pattern correctness**: Verify `subject-path: 'launchdarkly-openfeature-server-sdk-*.gem'` matches the gem produced by `gem build launchdarkly-openfeature-server-sdk.gemspec`. The publish action already uses the same pattern for `gem push`, so this should be consistent — but worth confirming. - [ ] **`releases_created` vs `release_created`**: In `release-please.yml`, the attestation step uses `steps.release.outputs.releases_created` (plural) while the original job-level output used `release_created` (singular). Both are valid release-please outputs but confirm they behave identically for this single-package repo. - [ ] **`contents: read` vs `contents: write`**: `manual-publish.yml` has `contents: read` while `release-please.yml` has `contents: write`. Verify `actions/attest@v4` does not require `contents: write`. - [ ] **Confirm `actions/attest@v4` meets compliance requirements**: This replaces `slsa-framework/slsa-github-generator`. Verify the attestation format is acceptable for your supply-chain security needs. Link to Devin session: https://app.devin.ai/sessions/7d5bda4d9dbe4ae0b950b30a50485e60 Requested by: @keelerm84
diff --git a/.github/actions/publish/action.yml b/.github/actions/publish/action.yml
@@ -4,10 +4,6 @@ inputs:
   dry_run:
     description: 'Is this a dry run. If so no package will be published.'
     required: true
-outputs:
-  gem-hash:
-    description: "base64-encoded sha256 hashes of distribution files"
-    value: ${{ steps.gem-hash.outputs.gem-hash }}
 
 runs:
   using: composite
@@ -16,12 +12,6 @@ runs:
       shell: bash
       run: gem build launchdarkly-openfeature-server-sdk.gemspec
 
-    - name: Hash gem for provenance
-      id: gem-hash
-      shell: bash
-      run: |
-        echo "gem-hash=$(sha256sum launchdarkly-openfeature-server-sdk-*.gem | base64 -w0)" >> "$GITHUB_OUTPUT"
-
     - name: Publish Library
       shell: bash
       if: ${{ inputs.dry_run == 'false' }}
diff --git a/.github/workflows/manual-publish.yml b/.github/workflows/manual-publish.yml
@@ -14,8 +14,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    outputs:
-      gem-hash: ${{ steps.publish.outputs.gem-hash}}
+      attestations: write
     steps:
       - uses: actions/checkout@v4
 
@@ -37,13 +36,8 @@ jobs:
         with:
           dry_run: ${{ inputs.dry_run }}
 
-  release-provenance:
-    needs: [ 'build-publish' ]
-    permissions:
-      actions: read
-      id-token: write
-      contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
-    with:
-      base64-subjects: "${{ needs.build-publish.outputs.gem-hash }}"
-      upload-assets: ${{ !inputs.dry_run }}
+      - name: Attest build provenance
+        if: ${{ !inputs.dry_run }}
+        uses: actions/attest@v4
+        with:
+          subject-path: 'launchdarkly-openfeature-server-sdk-*.gem'
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -12,10 +12,7 @@ jobs:
       id-token: write # Needed if using OIDC to get release secrets.
       contents: write # Contents and pull-requests are for release-please to make releases.
       pull-requests: write
-    outputs:
-      release-created: ${{ steps.release.outputs.release_created }}
-      upload-tag-name: ${{ steps.release.outputs.tag_name }}
-      gem-hash: ${{ steps.publish.outputs.gem-hash}}
+      attestations: write
     steps:
       - uses: googleapis/release-please-action@16a9c90856f42705d54a6fda1823352bdc62cf38 # v4.4.0
         id: release
@@ -51,15 +48,8 @@ jobs:
         with:
           token: ${{secrets.GITHUB_TOKEN}}
 
-  release-provenance:
-    needs: [ 'release-package' ]
-    if: ${{ needs.release-package.outputs.release-created == 'true' }}
-    permissions:
-      actions: read
-      id-token: write
-      contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
-    with:
-      base64-subjects: "${{ needs.release-package.outputs.gem-hash }}"
-      upload-assets: true
-      upload-tag-name: ${{ needs.release-package.outputs.upload-tag-name }}
+      - name: Attest build provenance
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        uses: actions/attest@v4
+        with:
+          subject-path: 'launchdarkly-openfeature-server-sdk-*.gem'
diff --git a/release-please-config.json b/release-please-config.json
@@ -6,7 +6,10 @@
       "versioning": "default",
       "include-component-in-tag": false,
       "include-v-in-tag": false,
-      "extra-files": ["PROVENANCE.md", "lib/ldclient-openfeature/version.rb"]
+      "extra-files": [
+        "PROVENANCE.md",
+        "lib/ldclient-openfeature/version.rb"
+      ]
     }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -6,7 +6,10 @@`
`6`	`6`	`"versioning": "default",`
`7`	`7`	`"include-component-in-tag": false,`
`8`	`8`	`"include-v-in-tag": false,`
`9`		`- "extra-files": ["PROVENANCE.md", "lib/ldclient-openfeature/version.rb"]`
	`9`	`+ "extra-files": [`
	`10`	`+ "PROVENANCE.md",`
	`11`	`+ "lib/ldclient-openfeature/version.rb"`
	`12`	`+ ]`
`10`	`13`	`}`
`11`	`14`	`}`
`12`	`15`	`}`