fix(ci): unblock build-attested workflow on missing HOMEBREW_DEPLOY_KEY#1296
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Enterprise Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis PR adds an explicit Estimated code review effort🎯 1 (Trivial) | ⏱️ ~3 minutes 🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Coverage Report ✅
Coverage BadgeNo Go source files changed in this PR. |
Summary
build-attested.yamlfailed after successfully attesting the binaries becausegoreleaser's Homebrew (
brews) pipe templates{{ .Env.HOMEBREW_DEPLOY_KEY }},an env var only wired into
on-tag.yaml. With the key absent, goreleaser errors("map has no entry for key") and the run dies before uploading the artifact.
Motivation / Context
build-attested.yamlproduces on-demand SLSA-attested binaries (as a jobartifact) for exercising the e2e signing flows locally and in CI without cutting
a release tag. It was erroring on every run, so no artifact was ever produced.
Setting
HOMEBREW_DEPLOY_KEYto an empty string makes the existingskip_uploadtemplate evaluate true, so the Homebrew tap publish is skippedcleanly.
on-tag.yamlstill supplies the real secret for production releases.Fixes: N/A
Related: #1214, #1215
Type of Change
Component(s) Affected
.github/workflows/build-attested.yaml)Implementation Notes
The cosign attestation step itself already worked; only the Homebrew publish
pipe broke. The empty env var keeps the key present in goreleaser's
.Envmap(goreleaser hard-errors on a missing key) while
skip_upload(not .Env.HOMEBREW_DEPLOY_KEY) short-circuits the tap publish.Testing
Re-ran the workflow via
workflow_dispatchafter the fix(run
27303432250): completed successfully and uploaded theaicr-attested-binariesartifact (4 archives, ~87 MB). CI-only YAML change; noGo code touched.
Risk Assessment
Rollout notes: N/A.
on-tag.yamlproduction releases are unaffected (theyprovide the real
HOMEBREW_DEPLOY_KEYsecret).Checklist
git commit -S)