ci: implement immutable releases support with actions/attest#413
Merged
ci: implement immutable releases support with actions/attest#413
Conversation
Contributor
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Since actions/attest@v4 stores attestations via GitHub's attestation API (not as release assets), repos that only use attestation don't need draft releases. Release-please can publish the release directly. Changes: - Remove draft:true from release-please-config.json - Remove create-tag job/steps (force-tag-creation handles this) - Remove publish-release job (release is published directly) - Remove publish_release input from manual workflows
devin-ai-integration
bot
changed the title
force-tag-creation only operates in conjunction with draft releases. Since this repo does not use draft releases (attestation-only, no artifact uploads to the release), force-tag-creation is not needed.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
kinyoklion
approved these changes
Apr 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Requirements
N/A — CI-only and documentation changes, no application code or tests affected.
Related issues
Supports the org-wide migration to immutable GitHub releases. Reference implementation:
launchdarkly/ld-relay(branchv8).Describe the solution you've provided
GitHub's immutable releases feature prevents modifying a release after it is published. This repo only uses attestation (no binary/artifact uploads to the release), so
actions/attest@v4— which stores attestations via GitHub's attestation API rather than as release assets — is compatible with immutable releases without needing draft releases.This PR makes the following changes:
SLSA →
actions/attest@v4(both workflows): Replaced the separaterelease-provenancejob (usingslsa-framework/slsa-github-generatorreusable workflow withupload-assets: true) with inlineactions/attest@v4steps within the build job. Attestation now usessubject-path: 'dist/*'to reference the built distribution files directly on disk, eliminating the old base64-encoded hash round-trip entirely.Removed hash outputs from build action: The
package-hashesoutput and "Hash build files for provenance" step were removed from.github/actions/build/action.ymlsincesubject-pathreads files directly rather than requiring pre-computed checksums.attestations: writepermission: Added to both workflows to supportactions/attest@v4.Removed orphaned job outputs from
release-please.yml: Therelease-created,upload-tag-name, andpackage-hashesoutputs were only consumed by the now-removedrelease-provenancejob. All three have been removed.Removed orphaned
package-hashesoutput frommanual-publish.yml: Similarly unused after removing therelease-provenancejob.Updated
PROVENANCE.md: Replaced SLSA verifier instructions withgh attestation verify --owner launchdarklyinstructions and sample output reflecting GitHub artifact attestations.README.md: The SLSA framework heading and description are preserved verbatim (the GitHub-specific verification details live inPROVENANCE.md). Only a minor trailing-whitespace fix is included.dry_runcondition fix: Usesformat('{0}', inputs.dry_run) == 'false'to safely handle the boolean/string mismatch betweenworkflow_call(boolean) andworkflow_dispatch(string) trigger types.Key things for reviewer to verify:
subject-path: 'dist/*'correctly matches thepoetry buildoutput (.tar.gzand.whlfiles in./dist/).release-createdorupload-tag-namejob outputs fromrelease-please.yml. These were only consumed by therelease-provenancejob within this workflow.gh attestation verifyoutput from ld-relay. The repo/workflow names are adapted for this repo but haven't been verified against an actual attested release yet.force-tag-creationis needed for this repo sinceactions/attest@v4does not upload assets to the GitHub release.Updates since last revision
skip-github-pull-request/skip-github-release) that was briefly added. That pattern is only needed for repos that upload artifacts to releases (which require draft releases). Since this repo is attestation-only, the standard single-pass release-please is correct.PROVENANCE.mdto usegh attestation verify --owner launchdarklywith the full real output template (policy criteria, attestation details) instead of a simplified placeholder.taginput frommanual-publish.yml(flagged by Cursor Bugbot as dead code).release-createdandupload-tag-namejob outputs fromrelease-please.yml.dry_runconditions to useformat('{0}', inputs.dry_run) == 'false'for correct boolean/string handling across trigger types.subject-checksumstosubject-path: 'dist/*', eliminating the base64 encode/decode round-trip entirely.Describe alternatives you've considered
An earlier revision used draft releases with a
publish-releasejob to un-draft after completion. This was simplified since this repo only uses attestation (not artifact uploads), so draft releases are unnecessary.An intermediate revision used
subject-checksumswith a checksums file (base64 decode of hashes computed in the build action). This was replaced withsubject-pathsince the artifacts are on disk in the same job, making the hash round-trip redundant.The verify command could use
-R launchdarkly/python-server-sdkto scope verification to this specific repo, but--owner launchdarklywas chosen for consistency across all LaunchDarkly SDK repos.Additional context
No application code or test changes. Only CI workflow files and documentation are modified.
Link to Devin session: https://app.devin.ai/sessions/7d5bda4d9dbe4ae0b950b30a50485e60
Requested by: @keelerm84
Note
Medium Risk
Changes the release/publish GitHub Actions workflows and provenance generation, which could impact PyPI publishing or provenance availability if misconfigured, but does not touch runtime SDK code.
Overview
Switches package provenance generation from the SLSA reusable workflow (uploading provenance as release assets) to GitHub Artifact Attestations via
actions/attest@v4, attesting directly overdist/*.Removes the build action’s
package-hashesoutput/hash step and deletes the now-unused workflow outputs andrelease-provenancejobs; addsattestations: writepermissions and fixesdry_rungating inmanual-publish.yml. UpdatesPROVENANCE.mdto document verification viagh attestation verify(README only gets minor whitespace/wording cleanup).Reviewed by Cursor Bugbot for commit 376a848. Bugbot is set up for automated code reviews on this repo. Configure here.