Skip to content

verify-action-build: print a green attestation note with assumptions#977

Merged
dfoulks1 merged 1 commit into
mainfrom
attestation-verify-note
Jun 29, 2026
Merged

verify-action-build: print a green attestation note with assumptions#977
dfoulks1 merged 1 commit into
mainfrom
attestation-verify-note

Conversation

@potiuk

@potiuk potiuk commented Jun 29, 2026

Copy link
Copy Markdown
Member

What

When a downloader script (or an action.yml run block) verifies its download via gh attestation verify, verify-action-build already passed it as "verification present in file" — but gave no signal that the strongest mechanism, GitHub build attestation, was the one detected.

This adds an explicit green note naming attestation verification, plus a dim Assumptions block that spells out the static-scan limitations:

✓ scripts/install.sh: 1 download(s), verification present in file
  ✓ GitHub build attestation verification detected (`gh attestation verify`) in scripts/install.sh
  Assumptions: this is a static text match. It confirms an attestation-verify
  command is present in the same file as the download; it does NOT run the
  installer, does NOT confirm the verify call targets the artifact that gets
  downloaded, and does NOT detect fail-open behaviour (e.g. verification
  skipped/warned when `gh` is unavailable). Treat it as 'verification mechanism
  present', not 'verification proven to be enforced'.

Why

Surfaced while triaging #975 (dependabot bump of untitaker/hyperlink to 0.3.2, whose installer added gh attestation verify). The scan correctly passed it, but a reviewer couldn't tell which mechanism satisfied the check, nor what the check did and did not prove. The note makes the strongest signal visible and its assumptions explicit.

Scope

  • Pass/fail classification is unchanged — this only adds a clearer, caveated green signal.
  • Fires for both inline action.yml run blocks and referenced installer scripts.
  • Covered by a regression test modelled on the untitaker/hyperlink installer shape.

Full suite: 147 passed.

🤖 Generated with Claude Code

@potiuk
verify-action-build: print a green attestation note with assumptions
4c9ced5 
When a downloader script (or action.yml run block) verifies its download
via `gh attestation verify`, the scan already passed it as "verification
present in file" — but gave no signal that the strongest mechanism,
GitHub build attestation, was the one detected.

Add an explicit green note naming attestation verification, plus a dim
"Assumptions" block making the static-scan limitations clear: it confirms
the verify command is present, but does not run the installer, does not
confirm the call targets the downloaded artifact, and cannot detect
fail-open behaviour (verification skipped/warned when `gh` is absent).

Behaviour is otherwise unchanged — pass/fail classification is identical;
this only adds a clearer, caveated green signal. Covered by a regression
test modelled on the untitaker/hyperlink installer shape.

Generated-by: Claude Opus 4.8 (1M context), Claude Code
@potiuk potiuk mentioned this pull request Jun 29, 2026
Merged
dfoulks1
dfoulks1 approved these changes Jun 29, 2026
View reviewed changes

@dfoulks1 dfoulks1 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dfoulks1 dfoulks1 merged commit 1e556e6 into main Jun 29, 2026
8 checks passed
@dfoulks1 dfoulks1 deleted the attestation-verify-note branch June 29, 2026 17:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dfoulks1 dfoulks1 dfoulks1 approved these changes
@ppkarwasz ppkarwasz Awaiting requested review from ppkarwasz ppkarwasz is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@potiuk @dfoulks1