prisma-risk / tsoracle / 26485204847
95%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 89
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 94.974%. Remained the same
26485204847

push

github

web-flow 
ci(release): collapse SLSA signing into release-plz, drop release-sign.yml (#556)

Move the per-crate SLSA provenance generation + asset attachment out of
the standalone release-sign.yml workflow and into release-plz.yml as a
downstream chain (`prepare-attestation` → `provenance` → `attach`) that
fans out via `strategy.matrix.include` over the `releases` output of the
release-plz action. The signing chain is skipped when no crates were
published in the run (the common case on regular pushes).

The rewrite also fixes a latent bug in the deleted workflow: it referenced
`needs.provenance.outputs.provenance-download-name`, which v2.1.0 of the
SLSA generic generator does not export. The expression evaluated to empty,
which silently switched actions/download-artifact into "download all
artifacts" mode and produced a directory at the path the upload step
expected to be a file — the cause of the 1.0.0 `is a directory` failure.

Trade-offs:

- Manual workflow_dispatch backfill of pre-existing releases is no longer
  supported. Signing problems are fixed forward, not retroactively.
- The signing chain runs in a `push: main`-triggered workflow, so the
  SLSA generator records `refs/heads/main` instead of `refs/tags/<tag>`.
  Verification with slsa-verifier uses `--source-branch main` rather than
  `--source-tag`; the specific release tag is still verifiable via
  `git verify-tag` (gitsign) and the commit SHA recorded in the
  provenance. docs/release-signatures.md updated accordingly.
- 1.0.0 GitHub Releases produced before this lands have no .intoto.jsonl
  asset; their tags remain gitsign-signed and crates.io carries the
  published tarballs. Future releases (1.0.1+) will carry full provenance.

Defensive checks preserved from release-sign.yml: tag-shape regex on each
entry from release-plz, and a workspace-membership assertion that the
released crate name actually exists as a workspace member at this commit.

Signed-off-by: Sebastian Thiebaud <sebastian@prismarisk.com>

13511 of 14226 relevant lines covered (94.97%)

394960.36 hits per line

Jobs
ID Job ID Ran Files Coverage
1 26485204847.1 89
94.97
 GitHub Action Run
Source Files on build 26485204847