feat(release): binary + attestation release pipeline#123
Open
avrabe wants to merge 2 commits into
Open
Conversation
… signing Adds .github/workflows/release.yml triggered on v* tags: cross-platform synth CLI builds (linux x86_64/aarch64, macOS x86_64/aarch64), SHA256SUMS, GitHub-native SLSA build provenance (actions/attest-build-provenance), and Sigstore keyless cosign signature over SHA256SUMS. Modelled on the sibling pulseengine/witness + rivet release workflows, with the sigil supply-chain permissions block (contents/id-token/attestations: write). The release build uses only the riscv feature; the verify feature (z3-sys) is intentionally excluded to keep the build fast and network-free — the CLI degrades gracefully without it. docs/release-process.md documents how to cut a release, the provenance and signing verification commands, the release checklist, the CHANGELOG mapping, and a 5-phase rollout plan (Phases 1-3 implemented; 4 crates.io and 5 ELF output signing via sigil noted as future work). Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Aligns the macOS Intel target's runner with pulseengine/rivet and pulseengine/witness — both Rust-workspace CLIs, the closest analogs to synth — which build `x86_64-apple-darwin` by cross-compiling on the arm64 `macos-14` runner. The initial draft used `macos-15-intel` (pulseengine/sigil's choice — a native Intel runner), but the rivet/witness majority is the better fit for a Rust CLI: the existing build step already does `cargo build --target x86_64-apple-darwin` with the target installed via `dtolnay/rust-toolchain`, so the arm64 host cross-compiles cleanly with no extra steps. aarch64-apple-darwin stays on `macos-latest` (all three siblings agree).
Contributor
Author
|
Addressed the three review decisions:
|
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
synth's first real release pipeline. The existing 4 releases (v0.1.1–v0.3.0) are release-notes only — no binary assets, no provenance, no signatures. This adds cross-platform binaries, SLSA build provenance, and Sigstore keyless signing, modeled on the sibling PulseEngine repos that already do this.
Modeled on the siblings
Studied the release workflows of three sibling repos:
sigil(the supply-chain-security tool) — cosign keyless (Fulcio + Rekor), SLSA, crates.io trusted publishing via OIDC. Source of this PR'spermissions:block.rivet(Rust-workspace CLI, closest analog) — hand-rolled target matrix,crossfor aarch64-linux,SHA256SUMS.txt, cosign sign-blob over the checksums, idempotentgh releasecalls.witness— same Rust-workspace pattern, per-asset.sig+.cert,SOURCE_DATE_EPOCHreproducibility.synth's
release.ymlfollows the witness/rivet Rust-CLI pattern with sigil's permissions.What's in this PR
.github/workflows/release.yml(228 lines)Triggered on
v*tag push (plusworkflow_dispatchto re-run an existing tag):x86_64/aarch64Linux,x86_64/aarch64macOS. aarch64-linux viacross.tar.gzpackaging;SHA256SUMS.txtover all assets.actions/attest-build-provenance(GitHub-native — no sibling uses the standalone SLSA generator).SHA256SUMS.txt(Fulcio cert + Rekor transparency log).gh release create/upload --clobber.contents: write,id-token: write,attestations: write.workflow_dispatchtag input is bound viaenv: INPUT_TAGand dereferenced as$VERSIONinrun:blocks — never interpolated directly.riscvfeature, notverify/z3-sys — avoids the network-fetch / temp-disk issues that the z3 dependency causes.docs/release-process.md(207 lines)gh attestation verify,cosign verify-blob).sigil) documented as future work.Decisions for review
cargo-dist— none of the three siblings use it; this PR matches their hand-rolled pattern. Confirm that's the intended direction.CRATES_IO_TOKENsecret or (preferred, matching sigil) crates.io trusted publishing for the repo, plus complete metadata on all 17 workspace crates.macos-15-intelrunner forx86_64-apple-darwin(sigil's choice;macos-13is deprecated). Adjust if the org pins a different image.Test plan
python3 yaml.safe_load;actionlintwas sandbox-blocked, please run in CI).workflow_dispatchpath lets us re-run against an existing tag without re-tagging.Scope
This PR adds the capability only — it does not bump versions or cut a release.
🤖 Generated with Claude Code