Consolidate Native Build Workflows & Implement Secure Release Manifests#2348
Open
dividedmind wants to merge 2 commits intomainfrom
Open
Consolidate Native Build Workflows & Implement Secure Release Manifests#2348dividedmind wants to merge 2 commits intomainfrom
dividedmind wants to merge 2 commits intomainfrom
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR consolidates the native binary build/release workflows into a single pipeline that builds @appland/appmap and @appland/scanner binaries across platforms, uploads artifacts, and (on tags) finalizes GitHub releases while publishing JSON release manifests to a dedicated release-manifests branch.
Changes:
- Merged native build workflows (appmap + scanner) into
.github/workflows/build-native.yml, adding a setup job to route builds based on tag type. - Reworked release finalization to download artifacts, upload via
gh release upload, generate manifest JSON, and publish torelease-manifests. - Removed legacy helper scripts (
bin/build-native,bin/hash,bin/hash.js) and deleted the scanner-specific workflow.
Reviewed changes
Copilot reviewed 3 out of 6 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
bin/hash.js |
Removes Node-based hashing helper script. |
bin/hash |
Removes bash-based hashing helper script. |
bin/build-native |
Removes legacy wrapper that built/signed/notarized/hashed binaries. |
.github/workflows/build-native.yml |
Consolidates multi-package native builds and adds release finalization + manifest publishing. |
.github/workflows/build-native-scanner.yml |
Removes the now-redundant scanner-specific workflow. |
.github/actions/setup-node/action.yml |
Updates Node setup composite action (node setup + caching + output handling). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Merged duplicate workflows and significantly improved the native build pipeline: Consolidation & DRY: - Merged build-native.yml and build-native-scanner.yml into single workflow - Removed unused scripts: bin/build-native, bin/hash, bin/hash.js Release Management: - Centralized all release uploads in finalize-release job - Replaced svenstaro/upload-release-action with native gh CLI - Removed manual checksum generation (GitHub provides manifests) Security & Best Practices: - Added explicit least-privilege permissions (contents: read by default) - Only finalize-release has contents: write permission - Replaced custom PAT with built-in GITHUB_TOKEN - Added concurrency control to cancel outdated PR builds - Added timeouts to all jobs (5-60 min based on complexity) - Use ubuntu-slim for bookkeeping jobs Dependencies & Fixes: - Updated all GitHub Actions to latest versions: • checkout: v3 → v6 • cache: v3 → v5 • setup-node: v4 → v6 • upload-artifact: v4 → v6 • download-artifact: v4 → v7 - Fixed deprecated set-output command in setup-node action - Fixed missing Node.js setup in finalize-release job - Actually use x64 macos runner to build for x64 - Made code signing optional for non-tag builds
…y verification - Add `merge-multiple: true` to `download-artifact` to flatten asset structure. - Split GitHub release process into binary upload and final publication steps. - Implement manifest generation using `gh` and `jq`. - Add strict SHA256 integrity verification using `sha256sum --check` before release finalization. - Add automated publishing of manifests to the `release-manifests` orphan branch. This ensures a secure, verifiable release pipeline where public manifests and tags are only updated after successful asset validation.
dividedmind
force-pushed
the
ci/publish-manifests
branch
from
e92964e to
d9d9aab
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR consolidates fragmented native build workflows into a single, optimized pipeline and introduces a secure release manifest publication process (based on the proposal in #2346). It significantly improves CI efficiency, security, and maintainability by removing redundant scripts, updating actions, and enforcing integrity checks before release finalization.
Key Changes
🚀 CI Optimization & Refactoring
build-native.ymlandbuild-native-scanner.ymlinto a single, unified workflow.bin/build-native,bin/hash,bin/hash.js).set-outputcommands.finalize-releasejob.🔒 Security & Release Management
sha256sum --checkverification of assets before finalizing a release.release-manifestsorphan branch.permissionsscopes (defaulting tocontents: read), grantingcontents: writeonly to the release finalization job.ghCLI and the built-inGITHUB_TOKEN.⚡ Performance
ubuntu-slimimages.