Skip to content

fix(ci): unblock build-attested workflow on missing HOMEBREW_DEPLOY_KEY#1296

Merged
lockwobr merged 1 commit into
mainfrom
fix/ci-attestation-action
Jun 10, 2026
Merged

fix(ci): unblock build-attested workflow on missing HOMEBREW_DEPLOY_KEY#1296
lockwobr merged 1 commit into
mainfrom
fix/ci-attestation-action

Conversation

@lockwobr

Copy link
Copy Markdown
Contributor

Summary

build-attested.yaml failed after successfully attesting the binaries because
goreleaser's Homebrew (brews) pipe templates {{ .Env.HOMEBREW_DEPLOY_KEY }},
an env var only wired into on-tag.yaml. With the key absent, goreleaser errors
("map has no entry for key") and the run dies before uploading the artifact.

Motivation / Context

build-attested.yaml produces on-demand SLSA-attested binaries (as a job
artifact) for exercising the e2e signing flows locally and in CI without cutting
a release tag. It was erroring on every run, so no artifact was ever produced.
Setting HOMEBREW_DEPLOY_KEY to an empty string makes the existing
skip_upload template evaluate true, so the Homebrew tap publish is skipped
cleanly. on-tag.yaml still supplies the real secret for production releases.

Fixes: N/A
Related: #1214, #1215

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • Build/CI/tooling

Component(s) Affected

  • Other: GitHub Actions CI workflow (.github/workflows/build-attested.yaml)

Implementation Notes

The cosign attestation step itself already worked; only the Homebrew publish
pipe broke. The empty env var keeps the key present in goreleaser's .Env map
(goreleaser hard-errors on a missing key) while skip_upload (not .Env.HOMEBREW_DEPLOY_KEY) short-circuits the tap publish.

Testing

Re-ran the workflow via workflow_dispatch after the fix
(run 27303432250): completed successfully and uploaded the
aicr-attested-binaries artifact (4 archives, ~87 MB). CI-only YAML change; no
Go code touched.

Risk Assessment

  • Low — Isolated CI workflow change, easy to revert

Rollout notes: N/A. on-tag.yaml production releases are unaffected (they
provide the real HOMEBREW_DEPLOY_KEY secret).

Checklist

  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S)
  • I did not skip/disable tests to make CI green
  • Go test/lint gates: N/A (CI workflow YAML only, no Go changes)

@lockwobr lockwobr requested a review from a team as a code owner June 10, 2026 20:27
@lockwobr lockwobr self-assigned this Jun 10, 2026
@lockwobr lockwobr added the theme/ci-dx CI pipelines, developer experience, and build tooling label Jun 10, 2026
@coderabbitai

coderabbitai Bot commented Jun 10, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: f2171d35-1610-4543-9ed2-023fef67a35c

📥 Commits

Reviewing files that changed from the base of the PR and between 8d0da78 and 06a73fc.

📒 Files selected for processing (1)
  • .github/workflows/build-attested.yaml

📝 Walkthrough

Walkthrough

This PR adds an explicit HOMEBREW_DEPLOY_KEY: "" environment variable to the "Build and attest" GitHub Actions workflow step. The change prevents template errors from goreleaser's Homebrew logic when the environment variable is undefined, and ensures Homebrew publishing is skipped for this testing-only workflow. Production releases are expected to provide the actual secret via the on-tag.yaml workflow.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately and specifically describes the main fix: unblocking the build-attested workflow by addressing the missing HOMEBREW_DEPLOY_KEY issue.
Description check ✅ Passed The description is comprehensive, well-structured, and directly related to the changeset, explaining the problem, solution, testing, and risk assessment.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/ci-attestation-action

Comment @coderabbitai help to get the list of available commands and usage tips.

@lockwobr lockwobr enabled auto-merge (squash) June 10, 2026 20:30
@lockwobr lockwobr merged commit 4e8f778 into main Jun 10, 2026
34 of 35 checks passed
@lockwobr lockwobr deleted the fix/ci-attestation-action branch June 10, 2026 20:41
@github-actions

Copy link
Copy Markdown
Contributor

Coverage Report ✅

Metric Value
Coverage 76.5%
Threshold 75%
Status Pass
Coverage Badge
![Coverage](https://img.shields.io/badge/coverage-76.5%25-green)

No Go source files changed in this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/ci size/XS theme/ci-dx CI pipelines, developer experience, and build tooling

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants