Skip to content

fix: accept reusable-workflow cert identity for evolve releases#8

Merged
bitwise-fast-forward-merge[bot] merged 1 commit into
bitwise-media-group:mainfrom
dmccaffery:fix/security-reports
Jun 24, 2026
Merged

fix: accept reusable-workflow cert identity for evolve releases#8
bitwise-fast-forward-merge[bot] merged 1 commit into
bitwise-media-group:mainfrom
dmccaffery:fix/security-reports

Conversation

@dmccaffery

Copy link
Copy Markdown
Collaborator

Since v0.3.0 the evolve release workflow is a thin caller into the shared reusable workflow in bitwise-media-group/github-workflows. GitHub Actions issues the Sigstore certificate to the executing workflow (the reusable one), so the SAN is now:

https://github.com/bitwise-media-group/github-workflows/.github/workflows/release.yaml@

rather than the caller's identity. The SLSA predicate externalParameters.workflow still records the caller (bitwise-media-group/evolve), so WORKFLOW_REPOSITORY / WORKFLOW_PATH are unchanged.

Changes:

  • CERT_IDENTITY_URI now matches the github-workflows reusable release workflow at any ref (commit SHA changes with each pin bump)
  • Unit-test VERIFY_POLICY assertion updated to match
  • SIGNER mock updated to a representative reusable-workflow SAN
  • Integration test bumped to v0.3.0 with matching fixture bundles and expected SAN

Resolves #7

@github-actions

Copy link
Copy Markdown
Contributor

Note

Merging this PR: this repository merges by fast-forward so every
commit keeps its original signature. The GitHub merge button is not used.
Once this PR is approved and all checks pass, a maintainer merges it by
commenting /merge on the PR.

The branch must be up to date with main (rebased and re-signed) to
fast-forward. If /merge reports it is not fast-forwardable, rebase onto
main and comment /merge again.

@codecov

codecov Bot commented Jun 24, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 80.00000% with 3 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
src/error.ts 50.00% 0 Missing and 1 partial ⚠️
src/github.ts 75.00% 0 Missing and 1 partial ⚠️
src/main.ts 0.00% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

@dmccaffery dmccaffery force-pushed the fix/security-reports branch from 1844d8c to c0a097d Compare June 24, 2026 14:44
@dmccaffery

Copy link
Copy Markdown
Collaborator Author

/merge

@bitwise-fast-forward-merge

Copy link
Copy Markdown

Cannot /merge this PR yet:

  • not fast-forwardable (diverged) — rebase and re-sign onto main

Since v0.3.0 the evolve release workflow is a thin caller into the
shared reusable workflow in bitwise-media-group/github-workflows.
GitHub Actions issues the Sigstore certificate to the *executing*
workflow (the reusable one), so the SAN is now:

  https://github.com/bitwise-media-group/github-workflows/.github/workflows/release.yaml@<sha>

rather than the caller's identity.  The SLSA predicate
externalParameters.workflow still records the caller (bitwise-media-group/evolve),
so WORKFLOW_REPOSITORY / WORKFLOW_PATH are unchanged.

Since the old direct-workflow identity no longer appears in any
v0.3.0+ attestation, installations of v0.2.x and earlier will always
fail verification.  resolveVersion() now hard-errors on any resolved
version below MIN_SUPPORTED_VERSION (0.3.0) with a clear message,
rather than letting the install proceed to a confusing sigstore failure.

Changes:
- CERT_IDENTITY_URI now matches the github-workflows reusable release
  workflow at any ref (commit SHA changes with each pin bump)
- MIN_SUPPORTED_VERSION = '0.3.0' added to constants; resolveVersion()
  rejects earlier versions before any download is attempted
- Unit-test VERIFY_POLICY assertion updated; SIGNER mock updated to a
  representative reusable-workflow SAN; two new guard tests added
- RELEASES fixture bumped (added v0.3.0, v0.4.0-rc.1; all tests that
  previously resolved to a sub-0.3.0 version updated accordingly)
- Integration test bumped to v0.3.0 with matching fixture bundles and
  expected SAN

Resolves bitwise-media-group#7

Signed-off-by: Deavon M. McCaffery <dmccaffery@users.noreply.github.com>
@dmccaffery dmccaffery force-pushed the fix/security-reports branch from c0a097d to 4971fdc Compare June 24, 2026 14:50
@dmccaffery dmccaffery requested a review from johankees June 24, 2026 14:51
@dmccaffery

Copy link
Copy Markdown
Collaborator Author

/merge

1 similar comment
@dmccaffery

Copy link
Copy Markdown
Collaborator Author

/merge

@bitwise-fast-forward-merge

Copy link
Copy Markdown

Fast-forwarded main to 4971fdc7fc28 — original signature preserved, no re-sign.

@bitwise-fast-forward-merge bitwise-fast-forward-merge Bot merged commit 4971fdc into bitwise-media-group:main Jun 24, 2026
25 checks passed
@dmccaffery dmccaffery deleted the fix/security-reports branch June 24, 2026 15:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Bug: setup-evolve fails to install latest evolve v0.3.0 because release provenance signer changed

2 participants