fix(notify): recover immutable staged SBOM#121
Conversation
Normalize every SPDX annotation timestamp so fresh helper SBOMs are deterministic. During release recovery, fetch the existing draft SBOM by validated asset ID, verify its API digest and canonical content against a fresh scan, then use those immutable bytes locally when rebuilding the release manifest. Cross-check manifest SBOM and image-digest bindings before rollout.
📝 WalkthroughWalkthroughThe release workflow now normalizes additional SBOM metadata, verifies and adopts immutable staged SBOMs only after digest and content checks, improves asset mismatch diagnostics, and validates binary SBOM and image-digest hashes in rollout manifests. Publish-safety assertions enforce these recovery requirements. ChangesRelease integrity validation
Estimated code review effort: 4 (Complex) | ~45 minutes Possibly related PRs
Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 7✅ Passed checks (7 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
@coderabbitai review |
✅ Action performedReview finished.
|
|
@coderabbitai review |
✅ Action performedReview finished.
|
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/docker.yml (1)
912-926: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick winThird copy of the
resolve_releaseGraphQL+REST lookup logic.This inline block duplicates the
resolve_release()function already defined at Lines 1068-1089 and 1180-1197. Adding a third copy increases the chance that a future fix (e.g., an added validation check) lands in one copy but not the others.Consider extracting this into a shared script (e.g.,
.github/scripts/resolve-release.sh) sourced by all three steps.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/docker.yml around lines 912 - 926, Extract the duplicated GraphQL-and-REST release lookup into a shared `.github/scripts/resolve-release.sh` helper, preserving the existing validation and release ID resolution behavior. Update the inline block and both existing `resolve_release()` implementations to source or invoke this shared helper, ensuring all three workflow steps use the same logic.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/docker.yml:
- Around line 912-926: Extract the duplicated GraphQL-and-REST release lookup
into a shared `.github/scripts/resolve-release.sh` helper, preserving the
existing validation and release ID resolution behavior. Update the inline block
and both existing `resolve_release()` implementations to source or invoke this
shared helper, ensuring all three workflow steps use the same logic.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 5051ec2a-bbbb-4020-887c-140a9e3377a5
📒 Files selected for processing (2)
.github/scripts/notify-publish-safety.rb.github/workflows/docker.yml
📜 Review details
🧰 Additional context used
📓 Path-based instructions (1)
.github/workflows/**/*.yml
⚙️ CodeRabbit configuration file
.github/workflows/**/*.yml: Review CI for correct Go test tags, Xcode/iOS simulator assumptions, secret scoping,
dependency integrity, permissions, Docker publishing safety, and unnecessary privilege escalation.
Files:
.github/workflows/docker.yml
🔇 Additional comments (7)
.github/workflows/docker.yml (5)
693-701: LGTM!Also applies to: 892-901
1124-1130: LGTM!
1223-1232: LGTM!
632-635: LGTM!Also applies to: 830-831, 1162-1164
944-955: 🎯 Functional CorrectnessNo issue:
trivy-actionv0.36.0 already defaults to Trivyv0.70.0, so theTool: trivy-0.70.0check matches the SBOM generator.> Likely an incorrect or invalid review comment..github/scripts/notify-publish-safety.rb (2)
386-419: LGTM!
570-571: LGTM!
|
Review resolution: the suggested shared release-resolver script is intentionally not introduced in this recovery PR. Every source-bound publication job checks out immutable release commit 664a896, where a new main-only helper would not exist; fetching one from main would mix control code into the release checkout. The inline read-only lookups therefore remain explicit and are statically guarded by the publish-safety policy. |
Summary
Failure evidence
Recovery publication run 29344240756 was bound to main@589de9d92dd7eaddfb264765edbdf7c49ce7f8f6. Policy, notify, owner, immutable image, binary-attestation, and binary-build gates succeeded. Stage Release Binaries failed while comparing the freshly generated SBOM to private draft 353712477.
All five binaries and SHA256SUMS remained byte-identical. Trivy 0.70.0 had embedded its invocation time in every package annotation even though creationInfo.created was normalized. After normalizing only those runtime annotation timestamps, the fresh and staged SPDX documents matched exactly. The draft remains private and unchanged with exactly nine pre-rollout assets. No helper container, upgrade, downgrade, forward recovery, rollout evidence, finalization, or public release occurred.
Security and compatibility
Verification
Release truth
Helper publication remains NO-GO. The release is still a private draft, and the real published-image upgrade, rollback, forward-recovery, finalization, and public verification gates must all still succeed.