feat(evidence): auto-sign evidence pointers on push#1454
Conversation
Add the push-triggered variant of the fork signing workflow (Option B, the follow-up flagged in evidence-publish.yaml's header / #1433). A push under recipes/evidence/** now auto-runs the signer, so a contributor's "commit the unsigned pointer and push" step signs without a manual Actions click. Loop / scope guards (it commits back to the branch): - GitHub doesn't re-run workflows for GITHUB_TOKEN pushes, so the commit-back doesn't re-trigger; the job `if:` also skips a push whose head commit is our own signing commit (covers forks pushing via a PAT). - The push path is fork-only (`github.repository \!= 'NVIDIA/aicr'`) and `branches-ignore: [main]`, so it never auto-commits to the canonical repo or any default branch. workflow_dispatch still works anywhere. - The signer script already no-ops when nothing is unsigned, and fails closed with a clear message when a bundle can't be pulled. Docs: evidence-publishing.md now describes both the automatic (push) and manual (dispatch) paths and the fork-only/no-loop guarantees.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Enterprise Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughUpdated the Recipe Evidence: Sign workflow to add a Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related issues
Possibly related PRs
Suggested reviewers
🚥 Pre-merge checks | ✅ 4✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/evidence-publish.yaml:
- Around line 71-72: The workflow gate in evidence-publish.yaml currently
hardcodes main in branches-ignore, which does not match the contributor docs
promise of “any branch other than your default.” Either update the documentation
in evidence-publishing.md to explicitly say the auto-sign guard only excludes
main, or change the workflow logic to use the repository’s default-branch
concept instead of the literal branch name; keep the wording and the
branches-ignore behavior aligned around the same rule.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Enterprise
Run ID: 942f9daa-ecda-4004-85c7-a1fa04fcf921
📒 Files selected for processing (2)
.github/workflows/evidence-publish.yamldocs/contributor/evidence-publishing.md
Coverage Report ✅
Coverage BadgeNo Go source files changed in this PR. |
…d main) Address review on #1454: replace the static branches-ignore: [main] with a dynamic job-if check (github.ref_name \!= github.event.repository.default_branch), so a fork whose default branch is renamed/master is still excluded from the push auto-sign — matching the doc's 'any branch other than your default'.
njhensley
left a comment
There was a problem hiding this comment.
Review: Auto-sign evidence pointers on push
✅ Approve — clean, well-guarded, low-risk CI change. All checks green. A couple of minor, non-blocking nits below.
Strengths
- Loop guard is sound and layered. Default-
GITHUB_TOKENpushes don't re-trigger workflows (primary guard); theif:also skips the workflow's ownchore(evidence): sign pending evidence pointershead commit as belt-and-suspenders for PAT-pushing forks. - Upstream is fully isolated. Trigger is
push(notpull_request), so a fork PR can't reach the privilegedid-token: write/contents: writejob. In the canonical repo, push events are gated out bygithub.repository != 'NVIDIA/aicr', leaving only manual dispatch. - Dynamic default-branch match (
github.ref_name != github.event.repository.default_branch) beats a hardcodedmain— survives a renamed default.workflow_dispatchshort-circuits the||, so push-only fields are never evaluated on dispatch. cancel-in-progress: false,persist-credentials: false+ inline push token, andgo mod verifybefore the OIDC-signing build are all preserved correctly.
Minor nits (non-blocking)
- PR description drifted from the implementation. The body's Implementation Notes say "
branches-ignore: [main]keeps it off any default branch", but the diff uses nobranches-ignore— branch scoping moved into the jobif:via the dynamic default-branch match. The workflow header comment is correct; just the PR body is stale. Worth a quick edit so the rationale matches the code. github.event.head_commit.messagecan be null for some push events (e.g., branch deletion).startsWith(null, …)coerces tofalse, so the negation passes and the third clause could let the job attempt to run. In practice thepathsfilter + checkout make this a non-issue, but agithub.event.head_commit != nullguard would be airtight. Truly minor.
Summary
Adds the push-triggered variant of the fork-based evidence signing workflow — "Option B", the follow-up flagged in
evidence-publish.yaml's header when #1433 landed Option A (manualworkflow_dispatch). A push underrecipes/evidence/**now auto-runs the signer, so a contributor's "commit the unsigned pointer and push" step signs without a manual Actions click.Motivation / Context
#1433 deliberately shipped Option A first and documented Option B's loop-guard requirements as a fast-follow. This implements it.
Fixes: N/A
Related: #1433, #1431
Type of Change
Component(s) Affected
docs/,examples/)Implementation Notes
Trigger: added
push(pathsrecipes/evidence/**,branches-ignore: [main]) alongside the existingworkflow_dispatch.Loop / scope guards (the workflow commits the patched pointer back):
GITHUB_TOKEN, so the commit-back doesn't re-trigger. The jobif:also skips a push whose head commit is our own signing commit (startsWith(... 'chore(evidence): sign pending evidence pointers')) — belt-and-suspenders for forks that push via a PAT.github.repository \!= 'NVIDIA/aicr', andbranches-ignore: [main]keeps it off any default branch — it never auto-commits to the canonical repo.workflow_dispatchstill works anywhere (incl. upstream).Testing
Workflow logic is trigger/guard wiring (no unit-test surface); the signer script itself was tested in #1451. The guard expression is exercised by the existing dispatch path plus the new push path.
Risk Assessment
Rollout notes: Forks with Actions enabled get auto-signing on pointer pushes; everyone retains the manual dispatch. Upstream behavior unchanged.
Checklist
actionlint,yamllint)git commit -S)