Skip to content

fix: attach SLSA provenance to draft release via gh release upload#713

Merged
SoulPancake merged 5 commits into
mainfrom
chore/fix-provenance-duplicate-draft
Jun 20, 2026
Merged

fix: attach SLSA provenance to draft release via gh release upload#713
SoulPancake merged 5 commits into
mainfrom
chore/fix-provenance-duplicate-draft

Conversation

@SoulPancake

@SoulPancake SoulPancake commented Jun 19, 2026

Copy link
Copy Markdown
Member

The slsa-github-generator (pinned at v2.1.0) attaches provenance using softprops/action-gh-release@v2.2.1, whose draft lookup reassigns the match on every page of releases instead of breaking on first hit. Once a repo crosses 100 releases (2 pages), the fresh draft on page 1 is clobbered by the empty page 2, the action falls through to createRelease(), and two drafts end up on the same tag.

Set upload-assets: false so the generator no longer touches the release, and add a release-provenance job that downloads the provenance artifact and attaches it to goreleaser's single draft via 'gh release upload', which resolves the draft deterministically by tag.

The issue was first found out in the openfga/openfga repo while attempting the same pipeline for immutable tagging

openfga/openfga#3178 (comment)

Description

What problem is being solved?

How is it being solved?

What changes are made to solve it?

References

Review Checklist

  • I have clicked on "allow edits by maintainers".
  • I have added documentation for new/changed functionality in this PR or in a PR to openfga.dev [Provide a link to any relevant PRs in the references section above]
  • The correct base branch is being used, if not main
  • I have added tests to validate that the change in functionality is working as expected

Summary by CodeRabbit

  • Chores
    • Updated internal release workflow to optimize how provenance artifacts are handled during the draft release process. This change reorganizes artifact attachment timing and dependencies while maintaining existing verification workflows.

The slsa-github-generator (pinned at v2.1.0) attaches provenance using
softprops/action-gh-release@v2.2.1, whose draft lookup reassigns the
match on every page of releases instead of breaking on first hit. Once a
repo crosses 100 releases (2 pages), the fresh draft on page 1 is
clobbered by the empty page 2, the action falls through to
createRelease(), and two drafts end up on the same tag.

Set upload-assets: false so the generator no longer touches the release,
and add a release-provenance job that downloads the provenance artifact
and attaches it to goreleaser's single draft via 'gh release upload',
which resolves the draft deterministically by tag.
@coderabbitai

coderabbitai Bot commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 83737bf9-5925-496a-99fb-590c15b30009

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

The CI workflow is updated to decouple SLSA binary provenance generation from release asset attachment. The binary-provenance job has upload-assets disabled, and a new release-provenance job downloads the provenance artifact and uploads it to the draft release using gh release upload with --clobber. The undraft-release job's needs list is updated to depend on release-provenance instead of binary-provenance.

Changes

SLSA Provenance Release Attachment Refactor

Layer / File(s) Summary
release-provenance job and undraft-release dependency update
.github/workflows/main.yaml
Disables upload-assets on the binary-provenance generator step; adds a new release-provenance job that downloads the provenance artifact and uploads it to the tag's draft release via gh release upload --clobber; updates undraft-release's needs list to reference release-provenance instead of binary-provenance.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related issues

  • Enable immutable tags/releases openfga#3172: This PR implements the workflow solution described in that issue by disabling auto-upload in binary-provenance, adding a dedicated release-provenance job, and updating undraft-release to depend on it before publishing.

Possibly related PRs

  • openfga/cli#693: Both PRs modify .github/workflows/main.yaml to change how SLSA provenance assets are uploaded to tag-based draft releases, with overlapping changes to provenance upload wiring.

Suggested reviewers

  • rhamzeh
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title directly and clearly describes the main change: attaching SLSA provenance to draft releases via gh release upload, which matches the PR's primary objective of fixing duplicate drafts.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/fix-provenance-duplicate-draft

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@SoulPancake SoulPancake marked this pull request as ready for review June 19, 2026 17:57
@SoulPancake SoulPancake requested a review from a team as a code owner June 19, 2026 17:57
Copilot AI review requested due to automatic review settings June 19, 2026 17:57

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adjusts the release/provenance publishing flow in the GitHub Actions pipeline to avoid slsa-github-generator’s release/draft mutation behavior (via softprops/action-gh-release) and instead attach the generated SLSA provenance to the existing GoReleaser-managed draft release deterministically by tag using gh release upload.

Changes:

  • Disable SLSA generator release-asset uploading (upload-assets: false) so it no longer modifies/releases drafts.
  • Add a release-provenance job to download the provenance workflow artifact and upload it to the draft release via gh release upload <tag> ....
  • Update undraft-release to wait on release-provenance rather than binary-provenance.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread .github/workflows/main.yaml
With upload-assets: false the generator's upload-assets job (the only one
needing contents: write) is skipped, so contents: read suffices.
rhamzeh
rhamzeh previously approved these changes Jun 19, 2026
Comment thread .github/workflows/main.yaml
rhamzeh
rhamzeh previously approved these changes Jun 20, 2026
@SoulPancake SoulPancake enabled auto-merge June 20, 2026 02:37
auto-merge was automatically disabled June 20, 2026 02:57

Pull request was closed

@SoulPancake SoulPancake reopened this Jun 20, 2026
@SoulPancake SoulPancake enabled auto-merge June 20, 2026 02:57
@SoulPancake

Copy link
Copy Markdown
Member Author
image Turns out it needs the contents: write access even when the upload assets flag is set to false 🤔

@SoulPancake

Copy link
Copy Markdown
Member Author

Known issue with it
slsa-framework/slsa-github-generator#2044 (comment)

@SoulPancake SoulPancake added this pull request to the merge queue Jun 20, 2026
Merged via the queue into main with commit 2c4adfb Jun 20, 2026
26 checks passed
@SoulPancake SoulPancake deleted the chore/fix-provenance-duplicate-draft branch June 20, 2026 05:00
@openfga-releaser-bot openfga-releaser-bot Bot mentioned this pull request Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants