Skip to content

feat(evidence): auto-sign evidence pointers on push#1454

Merged
mchmarny merged 3 commits into
mainfrom
feat/evidence-auto-sign-on-push
Jun 24, 2026
Merged

feat(evidence): auto-sign evidence pointers on push#1454
mchmarny merged 3 commits into
mainfrom
feat/evidence-auto-sign-on-push

Conversation

@mchmarny

Copy link
Copy Markdown
Member

Summary

Adds the push-triggered variant of the fork-based evidence signing workflow — "Option B", the follow-up flagged in evidence-publish.yaml's header when #1433 landed Option A (manual workflow_dispatch). A push under recipes/evidence/** now auto-runs the signer, so a contributor's "commit the unsigned pointer and push" step signs without a manual Actions click.

Motivation / Context

#1433 deliberately shipped Option A first and documented Option B's loop-guard requirements as a fast-follow. This implements it.

Fixes: N/A
Related: #1433, #1431

Type of Change

  • New feature (non-breaking change that adds functionality)
  • Build/CI/tooling
  • Documentation update

Component(s) Affected

  • Docs/examples (docs/, examples/)
  • Other: GitHub Actions workflow

Implementation Notes

Trigger: added push (paths recipes/evidence/**, branches-ignore: [main]) alongside the existing workflow_dispatch.

Loop / scope guards (the workflow commits the patched pointer back):

  • No loop: GitHub doesn't re-run workflows for pushes made with the default GITHUB_TOKEN, so the commit-back doesn't re-trigger. The job if: also skips a push whose head commit is our own signing commit (startsWith(... 'chore(evidence): sign pending evidence pointers')) — belt-and-suspenders for forks that push via a PAT.
  • Fork-only: the push path runs only when github.repository \!= 'NVIDIA/aicr', and branches-ignore: [main] keeps it off any default branch — it never auto-commits to the canonical repo. workflow_dispatch still works anywhere (incl. upstream).
  • Graceful: the signer script already no-ops when nothing is unsigned and fails closed with a clear message when a bundle can't be pulled.

Testing

actionlint .github/workflows/evidence-publish.yaml   # OK
yamllint   .github/workflows/evidence-publish.yaml   # OK

Workflow logic is trigger/guard wiring (no unit-test surface); the signer script itself was tested in #1451. The guard expression is exercised by the existing dispatch path plus the new push path.

Risk Assessment

  • Low — Additive trigger on an existing fork-only helper; guarded against loops and against running on the canonical repo. No effect on upstream CI or merge gates.

Rollout notes: Forks with Actions enabled get auto-signing on pointer pushes; everyone retains the manual dispatch. Upstream behavior unchanged.

Checklist

  • Linter passes (actionlint, yamllint)
  • I did not skip/disable tests to make CI green
  • I updated docs (contributor publishing guide)
  • Changes follow existing patterns in the codebase
  • Commits are cryptographically signed (git commit -S)

Add the push-triggered variant of the fork signing workflow (Option B,
the follow-up flagged in evidence-publish.yaml's header / #1433). A push
under recipes/evidence/** now auto-runs the signer, so a contributor's
"commit the unsigned pointer and push" step signs without a manual
Actions click.

Loop / scope guards (it commits back to the branch):
- GitHub doesn't re-run workflows for GITHUB_TOKEN pushes, so the
  commit-back doesn't re-trigger; the job `if:` also skips a push whose
  head commit is our own signing commit (covers forks pushing via a PAT).
- The push path is fork-only (`github.repository \!= 'NVIDIA/aicr'`) and
  `branches-ignore: [main]`, so it never auto-commits to the canonical
  repo or any default branch. workflow_dispatch still works anywhere.
- The signer script already no-ops when nothing is unsigned, and fails
  closed with a clear message when a bundle can't be pulled.

Docs: evidence-publishing.md now describes both the automatic (push) and
manual (dispatch) paths and the fork-only/no-loop guarantees.
@mchmarny mchmarny requested review from a team as code owners June 24, 2026 19:02
@mchmarny mchmarny added theme/ci-dx CI pipelines, developer experience, and build tooling theme/supply-chain SLSA, SBOM, Sigstore, and provenance verification labels Jun 24, 2026
@mchmarny mchmarny self-assigned this Jun 24, 2026
@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 33bb4276-0bb2-45c2-aa19-872173e29d64

📥 Commits

Reviewing files that changed from the base of the PR and between 804eee5 and ca9ae9d.

📒 Files selected for processing (1)
  • .github/workflows/evidence-publish.yaml

📝 Walkthrough

Walkthrough

Updated the Recipe Evidence: Sign workflow to add a push trigger for recipes/evidence/** and gate the sign job on repository, branch, and commit-message checks, while still allowing manual workflow_dispatch runs. The contributor guide was updated to describe the automatic fork-only path and the manual execution path.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

Possibly related PRs

  • NVIDIA/aicr#1451 — related evidence-publish.yaml workflow changes for fork-only signing trigger and guard logic.

Suggested reviewers

  • njhensley
🚥 Pre-merge checks | ✅ 4
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed It clearly summarizes the new push-triggered evidence signing workflow for forked repos.
Description check ✅ Passed It matches the workflow and docs changes, including push-triggered signing and guard logic.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feat/evidence-auto-sign-on-push

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/evidence-publish.yaml:
- Around line 71-72: The workflow gate in evidence-publish.yaml currently
hardcodes main in branches-ignore, which does not match the contributor docs
promise of “any branch other than your default.” Either update the documentation
in evidence-publishing.md to explicitly say the auto-sign guard only excludes
main, or change the workflow logic to use the repository’s default-branch
concept instead of the literal branch name; keep the wording and the
branches-ignore behavior aligned around the same rule.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Enterprise

Run ID: 942f9daa-ecda-4004-85c7-a1fa04fcf921

📥 Commits

Reviewing files that changed from the base of the PR and between ebbd322 and 804eee5.

📒 Files selected for processing (2)
  • .github/workflows/evidence-publish.yaml
  • docs/contributor/evidence-publishing.md

Comment thread .github/workflows/evidence-publish.yaml Outdated
@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor

Coverage Report ✅

Metric Value
Coverage 77.3%
Threshold 75%
Status Pass
Coverage Badge
![Coverage](https://img.shields.io/badge/coverage-77.3%25-green)

No Go source files changed in this PR.

mchmarny and others added 2 commits June 24, 2026 12:51
…d main)

Address review on #1454: replace the static branches-ignore: [main] with a
dynamic job-if check (github.ref_name \!= github.event.repository.default_branch),
so a fork whose default branch is renamed/master is still excluded from the
push auto-sign — matching the doc's 'any branch other than your default'.
@mchmarny mchmarny changed the title feat(evidence): auto-sign evidence pointers on push (Option B) feat(evidence): auto-sign evidence pointers on push Jun 24, 2026
@mchmarny mchmarny enabled auto-merge (squash) June 24, 2026 20:00

@njhensley njhensley left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review: Auto-sign evidence pointers on push

Approve — clean, well-guarded, low-risk CI change. All checks green. A couple of minor, non-blocking nits below.

Strengths

  • Loop guard is sound and layered. Default-GITHUB_TOKEN pushes don't re-trigger workflows (primary guard); the if: also skips the workflow's own chore(evidence): sign pending evidence pointers head commit as belt-and-suspenders for PAT-pushing forks.
  • Upstream is fully isolated. Trigger is push (not pull_request), so a fork PR can't reach the privileged id-token: write / contents: write job. In the canonical repo, push events are gated out by github.repository != 'NVIDIA/aicr', leaving only manual dispatch.
  • Dynamic default-branch match (github.ref_name != github.event.repository.default_branch) beats a hardcoded main — survives a renamed default. workflow_dispatch short-circuits the ||, so push-only fields are never evaluated on dispatch.
  • cancel-in-progress: false, persist-credentials: false + inline push token, and go mod verify before the OIDC-signing build are all preserved correctly.

Minor nits (non-blocking)

  1. PR description drifted from the implementation. The body's Implementation Notes say "branches-ignore: [main] keeps it off any default branch", but the diff uses no branches-ignore — branch scoping moved into the job if: via the dynamic default-branch match. The workflow header comment is correct; just the PR body is stale. Worth a quick edit so the rationale matches the code.
  2. github.event.head_commit.message can be null for some push events (e.g., branch deletion). startsWith(null, …) coerces to false, so the negation passes and the third clause could let the job attempt to run. In practice the paths filter + checkout make this a non-issue, but a github.event.head_commit != null guard would be airtight. Truly minor.

@mchmarny mchmarny merged commit db3ad73 into main Jun 24, 2026
33 checks passed
@mchmarny mchmarny deleted the feat/evidence-auto-sign-on-push branch June 24, 2026 20:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/ci area/docs size/M theme/ci-dx CI pipelines, developer experience, and build tooling theme/supply-chain SLSA, SBOM, Sigstore, and provenance verification

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants