fix: accept reusable-workflow cert identity for evolve releases#8
Merged
bitwise-fast-forward-merge[bot] merged 1 commit intoJun 24, 2026
Conversation
Contributor
|
Note Merging this PR: this repository merges by fast-forward so every The branch must be up to date with |
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
1844d8c to
c0a097d
Compare
johankees
approved these changes
Jun 24, 2026
Collaborator
Author
|
/merge |
|
Cannot
|
Since v0.3.0 the evolve release workflow is a thin caller into the shared reusable workflow in bitwise-media-group/github-workflows. GitHub Actions issues the Sigstore certificate to the *executing* workflow (the reusable one), so the SAN is now: https://github.com/bitwise-media-group/github-workflows/.github/workflows/release.yaml@<sha> rather than the caller's identity. The SLSA predicate externalParameters.workflow still records the caller (bitwise-media-group/evolve), so WORKFLOW_REPOSITORY / WORKFLOW_PATH are unchanged. Since the old direct-workflow identity no longer appears in any v0.3.0+ attestation, installations of v0.2.x and earlier will always fail verification. resolveVersion() now hard-errors on any resolved version below MIN_SUPPORTED_VERSION (0.3.0) with a clear message, rather than letting the install proceed to a confusing sigstore failure. Changes: - CERT_IDENTITY_URI now matches the github-workflows reusable release workflow at any ref (commit SHA changes with each pin bump) - MIN_SUPPORTED_VERSION = '0.3.0' added to constants; resolveVersion() rejects earlier versions before any download is attempted - Unit-test VERIFY_POLICY assertion updated; SIGNER mock updated to a representative reusable-workflow SAN; two new guard tests added - RELEASES fixture bumped (added v0.3.0, v0.4.0-rc.1; all tests that previously resolved to a sub-0.3.0 version updated accordingly) - Integration test bumped to v0.3.0 with matching fixture bundles and expected SAN Resolves bitwise-media-group#7 Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
c0a097d to
4971fdc
Compare
johankees
approved these changes
Jun 24, 2026
Collaborator
Author
|
/merge |
1 similar comment
Collaborator
Author
|
/merge |
|
Fast-forwarded |
4971fdc
into
bitwise-media-group:main
25 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Since v0.3.0 the evolve release workflow is a thin caller into the shared reusable workflow in bitwise-media-group/github-workflows. GitHub Actions issues the Sigstore certificate to the executing workflow (the reusable one), so the SAN is now:
https://github.com/bitwise-media-group/github-workflows/.github/workflows/release.yaml@
rather than the caller's identity. The SLSA predicate externalParameters.workflow still records the caller (bitwise-media-group/evolve), so WORKFLOW_REPOSITORY / WORKFLOW_PATH are unchanged.
Changes:
Resolves #7