Skip to content

fix: release workflow improvements#38

Merged
alecthomas merged 2 commits into
block:mainfrom
walter-square:walter-square/release-workflow-improvements
Jun 11, 2026
Merged

fix: release workflow improvements#38
alecthomas merged 2 commits into
block:mainfrom
walter-square:walter-square/release-workflow-improvements

Conversation

@walter-square

Copy link
Copy Markdown
Contributor

Two related changes to release.yml, in two commits.

1. Build-provenance attestation + SHA256SUMS

  • Adds actions/attest-build-provenance@v2 (digest-pinned) in the build job, emitting a SLSA v1.0 provenance statement signed by Sigstore via the runner's OIDC identity. Downstream installers can verify with gh attestation verify --owner block --repo lefthookmerge <file>.
  • Generates SHA256SUMS over the .bz2 artifacts and attaches it to the release.
  • Adds an explicit permissions block to the build job (contents: read, id-token: write, attestations: write) — setting any permission switches the job to a strict allowlist, so contents: read is restated to keep checkout working.

2. Tag-trigger glob + quoting

  • The tag filter v[0-9]+.[0-9]+.[0-9]+ is a glob, not a regex — the literal + made it match only the tag v+.+.+. Releases fire today only because workflow_dispatch is also enabled. Replaced with v[0-9]*.[0-9]*.[0-9]*.
  • Routes github.ref_name through a TAG env var and uses quoted "$TAG" in gh release create, so the value is always a single argument regardless of content.

Happy to split into two PRs if you'd rather review them separately.

@alecthomas alecthomas merged commit 5de9535 into block:main Jun 11, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants