Skip to content

Add slsa provenance #215

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 16, 2025
Merged

Add slsa provenance #215

merged 1 commit into from
Jul 16, 2025

Conversation

jmgate
Copy link
Collaborator

@jmgate jmgate commented Jul 15, 2025
edited by sourcery-ai bot
Loading

Type: Task

Description

See sandialabs/reverse_argparse#315.

Summary by Sourcery

Implement SLSA provenance generation in the semantic-release workflow and restructure the release process to include artifact hashing, provenance creation, and a hardened publish job.

New Features:

  • Add Hash Build Artifacts step to compute and output base64-encoded SHA256 hashes of dist files
  • Add Upload Build Artifacts step to upload the dist folder for downstream jobs
  • Introduce provenance job using slsa-framework to generate SLSA provenance from artifact hashes
  • Add publish job that hardens the runner, downloads build artifacts and provenance, and publishes to PyPI and GitHub Releases

Enhancements:

  • Move concurrency configuration to the workflow root and remove redundant job-level concurrency
  • Consolidate release check conditions at the job level
  • Harden the runner in the publish job with an egress audit policy

@jmgate jmgate self-assigned this Jul 15, 2025
@sourcery-ai Sourcery AI
Copy link

sourcery-ai bot commented Jul 15, 2025
edited
Loading

Reviewer's Guide

This PR refactors the semantic-release workflow to support SLSA provenance by adding artifact hashing and upload steps, invoking the slsa-github-generator to produce provenance, and restructuring the publish job with runner hardening and consolidated conditions.

File-Level Changes

Change Details Files
Refine workflow concurrency control
  • Added a top-level concurrency group for the release workflow
  • Removed the inline concurrency setting under the release job
 .github/workflows/semantic-release.yml
Hash and upload build artifacts
  • Added a step to compute SHA256 hashes for all files in dist and expose them as output
  • Uploaded the dist directory as a build artifact
  • Exposed hashes and released outputs for downstream jobs
 .github/workflows/semantic-release.yml
Introduce a provenance generation job
  • Defined a new provenance job that runs only if the release succeeded
  • Configured permissions and pointed to slsa-framework/slsa-github-generator workflow
  • Passed base64-encoded artifact hashes to the generator
 .github/workflows/semantic-release.yml
Restructure publish job and add runner hardening
  • Merged conditional checks into the job-level if for release and provenance success
  • Added runner hardening using step-security/harden-runner
  • Checked out full repository history and downloaded both build artifacts and provenance
  • Retained PyPI and GitHub Releases steps without individual if conditions
 .github/workflows/semantic-release.yml
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

sourcery-ai[bot]
sourcery-ai bot reviewed Jul 15, 2025
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @jmgate - I've reviewed your changes and they look great!

Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@codecov Codecov
Copy link

codecov bot commented Jul 15, 2025
edited
Loading

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.67%. Comparing base (3a3499a) to head (05dab68).
Report is 2 commits behind head on master.

Additional details and impacted files 
@@           Coverage Diff           @@
##           master     #215   +/-   ##
=======================================
  Coverage   78.67%   78.67%           
=======================================
  Files           6        6           
  Lines         830      830           
  Branches      143      143           
=======================================
  Hits          653      653           
  Misses        138      138           
  Partials       39       39

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@jmgate jmgate force-pushed the add-slsa-provenance branch from b280f0f to 3ecad42 Compare July 16, 2025 20:04
@jmgate
patch: Add SLSA provenance to release assets
05dab68 
See https://slsa.dev/ for motivation.

Creating a patch release to ensure these additions to the automated
release process work.

Note that the `release` job has been subdivided, because the SLSA
provenance reusable workflow cannot be used as a step within a job, but
must be used as a job on its own.
@jmgate jmgate force-pushed the add-slsa-provenance branch from 3ecad42 to 05dab68 Compare July 16, 2025 20:23
@jmgate jmgate merged commit aec0cf7 into master Jul 16, 2025
15 checks passed
@jmgate jmgate deleted the add-slsa-provenance branch July 16, 2025 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

@jmgate jmgate

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@jmgate