Skip to content

fix(ci): revert SLSA reusable workflow to tag pin#250

Merged
rhuanbarreto merged 1 commit into
mainfrom
fix/slsa-tag-reference
Apr 29, 2026
Merged

fix(ci): revert SLSA reusable workflow to tag pin#250
rhuanbarreto merged 1 commit into
mainfrom
fix/slsa-tag-reference

Conversation

@rhuanbarreto

Copy link
Copy Markdown
Contributor

Summary

  • Reverts #245's SHA pin on the SLSA reusable workflow back to @v2.1.0. SHA pinning broke the v0.31.0 release pipeline (run 25107195589) — the SLSA generator's generate-builder.sh extracts the version from the workflow ref to download the prebuilt builder binary from a GitHub release and rejects non-tag refs (Invalid ref: <sha>. Expected ref of the form refs/tags/vX.Y.Z).
  • Amends CI-001 with a "Carved-out exceptions" subsection documenting why SLSA must be tag-pinned, and corrects the previously incorrect "Reusable workflow compatibility" mitigation note.
  • Updates CI-001/no-unpinned-actions with a SHA_PIN_EXEMPT_PREFIXES allowlist so the exception is enforced rather than being a silent gap.
  • Adds an agent-memory entry warning future agents that the rule allowlist makes the trap invisible to archgate check.

Root cause

PR #245 was based on the (incorrect) assumption that the SLSA v2.x generator supports SHA-based reusable-workflow references. It does not — see upstream slsa-framework/slsa-github-generator#150. Trust for SLSA is anchored in the SLSA project's own signing/verification chain rather than via SHA pinning at the call site.

Side note

v0.31.0 shipped without a SLSA provenance attestation (the binary build jobs all succeeded; only the provenance generation failed). After this fix lands, either cut v0.31.1 or re-run the provenance workflow against the existing tag if backfill is needed.

Test plan

  • bun run validate passes (lint, typecheck, format:check, 690 tests, 23/23 ADR checks, build:check)
  • archgate check confirms CI-001/no-unpinned-actions still passes against release-binaries.yml (SLSA path is allowlisted)
  • Verify the next release run produces SLSA provenance and uploads *.intoto.jsonl to the GitHub Release

PR #245 SHA-pinned slsa-framework/slsa-github-generator's reusable
workflow to satisfy CI-001, but the SLSA generator's generate-builder.sh
extracts the version from the workflow ref to download the prebuilt
builder binary from a GitHub release. It rejects non-tag refs with
"Invalid ref: <sha>. Expected ref of the form refs/tags/vX.Y.Z" and
exits 2, which broke the v0.31.0 release pipeline (no provenance
generated, downstream upload-assets failed with "path not supplied",
final job exited 27).

Pin the SLSA reusable workflow by tag (@v2.1.0) and document this as a
carved-out exception in CI-001. Update the no-unpinned-actions rule with
a SHA_PIN_EXEMPT_PREFIXES allowlist so the exception is enforced rather
than being a silent gap.

Upstream limitation: slsa-framework/slsa-github-generator#150.
Failing run: https://github.com/archgate/cli/actions/runs/25107195589

Signed-off-by: Rhuan Barreto <rhuan.barreto@gmail.com>
@cloudflare-workers-and-pages

Copy link
Copy Markdown

Deploying archgate-cli with  Cloudflare Pages  Cloudflare Pages

Latest commit: faa2be7
Status: ✅  Deploy successful!
Preview URL: https://e9c80a0d.archgate-cli.pages.dev
Branch Preview URL: https://fix-slsa-tag-reference.archgate-cli.pages.dev

View logs

@rhuanbarreto rhuanbarreto merged commit f350bce into main Apr 29, 2026
10 checks passed
@rhuanbarreto rhuanbarreto deleted the fix/slsa-tag-reference branch April 29, 2026 12:25
@github-actions github-actions Bot mentioned this pull request Apr 29, 2026
rhuanbarreto added a commit that referenced this pull request May 18, 2026
Renovate PR #284 re-pinned the SLSA generator to a SHA digest,
breaking provenance generation on the v0.37.0 release. The SLSA
generator's generate-builder.sh rejects non-tag refs.

This is the same fix as #250. A Renovate exclusion rule has been
added to archgate/renovate-config (PR #10) to prevent recurrence.

Ref: slsa-framework/slsa-github-generator#150

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
rhuanbarreto added a commit that referenced this pull request May 19, 2026
* fix(ci): revert SLSA reusable workflow to tag pin

Renovate PR #284 re-pinned the SLSA generator to a SHA digest,
breaking provenance generation on the v0.37.0 release. The SLSA
generator's generate-builder.sh rejects non-tag refs.

This is the same fix as #250. A Renovate exclusion rule has been
added to archgate/renovate-config (PR #10) to prevent recurrence.

Ref: slsa-framework/slsa-github-generator#150
Signed-off-by: Rhuan Barreto <rhuan@barreto.work>

* test: improve code coverage from 63% to 74% (+179 tests)

Add comprehensive tests across 21 files covering previously untested
command action handlers, helper functions, and engine logic. Tests
follow existing conventions: bun:test, temp dirs, spyOn mocking,
globalThis.fetch replacement, and SPDX headers.

Phase 1 - Pure logic:
- rule-scanner: scanImportedRuleSource() AST analysis
- registry: detectTarget() and resolveSource() edge cases
- update-check: cache-miss write path and semver edge cases
- pack-recommend: recommendPacks() with mocked shallowClone

Phase 2 - Command integration:
- New: telemetry command (status/enable/disable)
- New: doctor command (--json, formatted output, WSL, errors)
- session-context: error paths for all 4 editors
- review-context: error handling and option forwarding
- login: status/logout/login action handlers
- adr/create: --files, --rules, --json non-interactive paths

Phase 3 - Helpers with I/O mocking:
- telemetry: CI detection, shell detection, track* functions
- platform: WSL paths return null on non-WSL, resolveCommand

Phase 4 - Complex commands:
- adr/sync: --check, --yes, --json, diff detection, source filter
- adr/import: --list, --dry-run, --yes, ID remapping, rules copy
- upgrade: formatBytes, already-up-to-date, fetch failure paths
- plugin/url: all --editor variants

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>

* fix(test): sort import test assertions to avoid filesystem ordering differences

The --dry-run --json and --yes --json tests assumed ADR files would be
read in alphabetical order, but Linux readdir returns them in a different
order than Windows. Sort the parsed arrays by ID before asserting.

Also compact comment blocks to stay under the 500-line oxlint limit.

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>

* test: add WSL detection tests via env-var mocking on Linux CI

On the Linux CI runner, set WSL_DISTRO_NAME/WSL_INTEROP env vars to
exercise the WSL detection branches in platform.ts without needing a
real WSL environment. The wslpath/cmd.exe calls fail gracefully
(returning null), which covers the error paths too.

Also test the vscode-settings WSL fallback path: when WSL is detected
but cmd.exe is unavailable, getVscodeUserSettingsPath falls through
to the standard Linux ~/.config path.

Tests are gated with test.skipIf(!isNativeLinux) so they only run on
the Linux CI runner and are skipped on Windows/macOS.

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>

* test: add remaining coverage improvements (Phases 3+4)

Add tests for 11 more files covering helpers with I/O mocking,
complex commands, and previously never-loaded modules.

Phase 3 - Helpers with I/O mocking:
- credential-store: gitCredentialFill timeout, clearCredentials
- telemetry-config: showFirstRunNoticeIfNeeded all branches
- install-info: getProjectContext edge cases, cache behavior
- vscode-settings: addMarketplaceToUserSettings, WSL fallback
- init-project: configureEditorSettings all editors, tryInstallPlugin
- binary-upgrade: checksum verify/mismatch, zip extraction, replaceBinary

Phase 4 - Complex commands and never-loaded files:
- plugin-install: URL builders, CLI checks, install/download functions
- plugin/install cmd: auth guard, editor paths, failure handling
- login-flow: full device flow, signup, TLS errors (all mocked)
- check cmd: registration + action handler via temp project fixtures
- formats/rules: RuleSet/RuleResult schema validation

Also fix mock.module cross-test pollution in plugin/install.test.ts
by converting findProjectRoot mock from mock.module to spyOn.

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>

* fix(test): fix CI failures in credential-store and vscode-settings tests

- credential-store: gate saveCredentials tests that depend on OS
  credential helper behavior with test.skipIf(platform !== "win32").
  Fix round-trip test to set GIT_CONFIG_GLOBAL to point at the custom
  gitconfig with the store helper.
- vscode-settings: use a fresh nested subdir for the "creates directory
  structure" test so it doesn't fail when ~/.config/Code/ already exists
  on the CI runner.
- Re-add WSL fallback test that was lost during agent merge.

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>

* fix(test): fix remaining CI failures on Linux

- vscode-settings: remove pre-condition assertion that settings dir
  doesn't exist (homedir() on Linux may not reflect HOME override,
  and ~/.config/Code/ may already exist on CI runner)
- credential-store: skip round-trip test entirely — git credential
  store helper interaction differs across platforms due to Bun.env
  snapshot timing. Remove unused isWindows import.

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>

---------

Signed-off-by: Rhuan Barreto <rhuan@barreto.work>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant