26478793068
95%

Ran 26 May 2026 10:35PM UTC

Jobs 1

Files 89

Run time 1min

Badge

Embed ▾

Committed 26 May 2026 10:28PM UTC coverage: 94.991%. Remained the same

Build # 26478793068

Build Type

push

github

Committed by

web-flow

Commit Message

fix(release-sign): use @v2.1.0 tag ref (SLSA generator rejects SHA pins) (#533)

fix(release-sign): use tag ref for SLSA generator (it rejects SHA pins)

The SLSA generator's internal generate-builder.sh validates the calling
ref against `refs/tags/vX\.Y\.Z` and refuses anything else with:

  Fetching the builder with ref: <sha>
  Invalid ref: <sha>. Expected ref of the form refs/tags/vX.Y.Z

That's because the script downloads the prebuilt generator binary from
the GitHub release matching the tag — there's no equivalent operation
keyed on a commit SHA. Subsequent steps that try to invoke the binary
then fail with "No such file or directory" (exit 127).

The SLSA project anchors integrity differently from typical actions:
the hash of the generator binary is hardcoded in the workflow at each
tagged release, and the workflow_call boundary itself is what gets
pinned by tag. SHA-pinning the reusable workflow file is intentionally
not supported.

Switch to `@v2.1.0`. Add a comment explaining why this single uses:
line departs from the repo's "all actions SHA-pinned" convention so
nobody re-SHA-pins it during a future audit.

Observed in run 26478005951.

Coverage Stats

13445 of 14154 relevant lines covered (94.99%)

402862.82 hits per line

Jobs

ID	Job ID	Ran	Files	Coverage
1	26478793068.1	26 May 2026 10:35PM UTC	89	94.99	GitHub Action Run

prisma-risk / tsoracle / 26478793068
95%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 26478793068

prisma-risk / tsoracle / 26478793068 95%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Jobs

Source Files on build 26478793068

prisma-risk / tsoracle / 26478793068
95%

README BADGES
x