ci(release): migrate to unified release pipeline via reusables#566
Merged
Conversation
Replaces the 492-line bespoke release-slsa.yml with a 225-line orchestrator that calls the org-wide reusable workflows (now available at netresearch/.github). Key changes: - Trigger is tag push (was: release.published). The new create-release reusable creates the release — no more "someone clicks Publish on the draft". - make_latest computed from semver — bugfix releases on older majors correctly don't steal the "Latest" badge. - SBOMs generated per binary via build-go-attest's new `sbom: true` input (was: separate sbom job). - Checksums + cosign sign-blob + verify-notes now handled by the finalize-release reusable (was: inline checksums + release-notes jobs). - Container build uses build-container reusable with sign=true, attest=true. The pre-build-command hook downloads the released binaries into bin/ so the existing binary-selector Dockerfile stage keeps working and the image ships the exact attested binary that users can independently verify. - Per-arch image tags (v*-linux-<arch>, latest-<arch>) preserved via a crane-based job after the container build. - notify-released kept inline (labels and comments on merged PRs + linked issues; ofelia-specific, not yet worth extracting). - Backfill: `gh workflow run release.yml --ref main -f tag=v0.23.2`. No regressions in signed artifacts: binaries get GitHub attestations (verifiable via `gh attestation verify`), checksums get keyless cosign sign-blob, images get both `cosign sign` AND actions/attest-build-provenance. Drops the docker build-push-action native provenance/sbom flags in favor of GitHub's attestation-store approach — semantically equivalent, standard across the org. Signed-off-by: Sebastian Mendel <[email protected]>
|
Note Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported. |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.Scanned Files
|
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Pull request overview
Migrates Ofelia’s release automation from the monolithic release-slsa.yml workflow to a new release.yml orchestrator that delegates most work (release creation, binary builds with attestations/SBOM, container build/sign/attest, and finalization) to org-wide reusable workflows.
Changes:
- Added a new tag-push +
workflow_dispatchdriven release orchestrator workflow usingnetresearch/.githubreusables. - Removed the previous
release-slsa.ymlworkflow (release.published-triggered) and folded SBOM/checksum/note steps into the reusable finalize/build workflows. - Kept repo-specific steps inline (per-arch image tagging via crane and released PR/issue notifications).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.
| File | Description |
|---|---|
| .github/workflows/release.yml | New unified release workflow orchestrating release creation, binary+SBOM builds, container build, per-arch tagging, finalization, and notifications. |
| .github/workflows/release-slsa.yml | Removed the old monolithic SLSA release workflow in favor of the new orchestrator. |
- notify-released needs `contents: write` to run `gh release edit`
(was `contents: read`, which would fail when appending the issues
link to release notes).
- Use `grep -Fx` instead of `grep "^${RELEASE_TAG}$"` so tag names
with dots (e.g. v0.23.2) aren't regex-interpreted. Dots would
accidentally match adjacent tags like v0-23-2 etc.
Signed-off-by: Sebastian Mendel <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Replaces the 492-line `release-slsa.yml` with a 225-line orchestrator calling the org-wide reusable workflows merged to `netresearch/.github`. All capabilities preserved; no regressions in signing, attestation, or provenance.
Before → After
Semantic note on container provenance
Drops docker/build-push-action's native `provenance: true, sbom: true` in favor of `actions/attest-build-provenance` + `cosign sign`. These produce GitHub-attestation-store + Sigstore transparency log entries instead of in-registry OCI metadata — standard across the org, verifiable with `gh attestation verify oci://...` and `cosign verify`.
Trust / provenance chain preserved
The image still ships the exact attested binary:
Users can independently verify:
```bash
gh attestation verify ofelia-linux-amd64 --repo netresearch/ofelia
gh attestation verify oci://ghcr.io/netresearch/ofelia:0.23.2 --repo netresearch/ofelia
cosign verify ghcr.io/netresearch/ofelia:0.23.2 \
--certificate-identity-regexp "https://github.com/netresearch/ofelia/" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com"
cosign verify-blob --certificate checksums.txt.pem --signature checksums.txt.sig \
--certificate-identity-regexp "https://github.com/netresearch/ofelia/" \
--certificate-oidc-issuer "https://token.actions.githubusercontent.com" \
checksums.txt
```
Backfill
`gh workflow run release.yml --ref main -f tag=v0.23.2`
Test plan