ci: use draft releases to support immutable GitHub releases

Author: keelerm84

.github/workflows/manual-publish.yml

@@ -6,6 +6,15 @@ on:
         description: "Is this a dry run? If so no package will be published."
         type: boolean
         required: true
+      tag:
+        description: 'Tag of an existing draft release to upload artifacts to.'
+        type: string
+        required: false
+      publish_release:
+        description: 'Publish (un-draft) the release after all artifacts are uploaded?'
+        type: boolean
+        required: false
+        default: true
 
 jobs:
   build-publish:
@@ -14,6 +23,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
+      attestations: write # Needed for artifact attestations
     outputs:
       package-hashes: ${{ steps.build.outputs.package-hashes}}
     steps:
@@ -41,13 +51,31 @@ jobs:
         with:
           password: ${{env.PYPI_AUTH_TOKEN}}
 
-  release-provenance:
-    needs: ["build-publish"]
+      - name: Generate checksums file
+        if: ${{ !inputs.dry_run }}
+        env:
+          HASHES: ${{ steps.build.outputs.package-hashes }}
+        run: |
+          echo "$HASHES" | base64 -d > checksums.txt
+
+      - name: Attest build provenance
+        if: ${{ !inputs.dry_run }}
+        uses: actions/attest@v4
+        with:
+          subject-checksums: checksums.txt
+
+  publish-release:
+    needs: ['build-publish']
+    if: ${{ !inputs.dry_run && inputs.publish_release }}
+    runs-on: ubuntu-latest
     permissions:
-      actions: read
-      id-token: write
       contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
-    with:
-      base64-subjects: "${{ needs.build-publish.outputs.package-hashes }}"
-      upload-assets: ${{ !inputs.dry_run }}
+    steps:
+      - name: Publish release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_NAME: ${{ inputs.tag }}
+        run: >
+          gh release edit "$TAG_NAME"
+          --repo ${{ github.repository }}
+          --draft=false

.github/workflows/release-please.yml

@@ -11,6 +11,7 @@ jobs:
       id-token: write # Needed if using OIDC to get release secrets.
       contents: write # Contents and pull-requests are for release-please to make releases.
       pull-requests: write
+      attestations: write # Needed for artifact attestations
     outputs:
       release-created: ${{ steps.release.outputs.release_created }}
       upload-tag-name: ${{ steps.release.outputs.tag_name }}
@@ -22,7 +23,23 @@ jobs:
       - uses: actions/checkout@v4
         if: ${{ steps.release.outputs.releases_created == 'true' }}
         with:
-          fetch-depth: 0 # Full history is required for proper changelog generation
+          fetch-depth: 0
+
+      - name: Create release tag
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        env:
+          TAG_NAME: ${{ steps.release.outputs.tag_name }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if gh api "repos/${{ github.repository }}/git/ref/tags/${TAG_NAME}" >/dev/null 2>&1; then
+            echo "Tag ${TAG_NAME} already exists, skipping creation."
+          else
+            echo "Creating tag ${TAG_NAME}."
+            git config user.name "github-actions[bot]"
+            git config user.email "github-actions[bot]@users.noreply.github.com"
+            git tag "${TAG_NAME}"
+            git push origin "${TAG_NAME}"
+          fi
 
       - uses: actions/setup-python@v5
         if: ${{ steps.release.outputs.releases_created == 'true' }}
@@ -53,15 +70,31 @@ jobs:
         with:
           password: ${{env.PYPI_AUTH_TOKEN}}
 
-  release-provenance:
-    needs: ["release-package"]
+      - name: Generate checksums file
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        env:
+          HASHES: ${{ steps.build.outputs.package-hashes }}
+        run: |
+          echo "$HASHES" | base64 -d > checksums.txt
+
+      - name: Attest build provenance
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        uses: actions/attest@v4
+        with:
+          subject-checksums: checksums.txt
+
+  publish-release:
+    needs: ['release-package']
     if: ${{ needs.release-package.outputs.release-created == 'true' }}
+    runs-on: ubuntu-latest
     permissions:
-      actions: read
-      id-token: write
       contents: write
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
-    with:
-      base64-subjects: "${{ needs.release-package.outputs.package-hashes }}"
-      upload-assets: true
-      upload-tag-name: ${{ needs.release-package.outputs.upload-tag-name }}
+    steps:
+      - name: Publish release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_NAME: ${{ needs.release-package.outputs.upload-tag-name }}
+        run: >
+          gh release edit "$TAG_NAME"
+          --repo ${{ github.repository }}
+          --draft=false

release-please-config.json

@@ -8,7 +8,8 @@
         "ldclient/version.py",
         "PROVENANCE.md"
       ],
-      "include-component-in-tag": false
+      "include-component-in-tag": false,
+      "draft": true
     }
   }
 }