From 9a1d85cf21d1931a4d9f52292bc07deba1ba4815 Mon Sep 17 00:00:00 2001 From: Andrey Markelov Date: Sun, 5 Jul 2026 22:27:05 -0700 Subject: [PATCH] Remove SLSA provenance job from release workflow The slsa-github-generator reusable workflow is not on the org's allowed reusable-workflows list, which fails the entire Release workflow at startup (startup_failure) and blocks tag releases. Drop the provenance job and its subject-generation steps; keep SBOM generation and Cosign signing. Update the changelog to match. --- .github/workflows/release.yml | 21 --------------------- CHANGELOG.md | 2 +- 2 files changed, 1 insertion(+), 22 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 0769722..64347ea 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -16,7 +16,6 @@ jobs: id-token: write outputs: asset_version: ${{ steps.version.outputs.asset_version }} - slsa_subjects_file: ${{ steps.slsa_subjects.outputs.handle }} steps: - uses: actions/checkout@v7 - uses: actions/setup-go@v6 @@ -50,14 +49,6 @@ jobs: - run: ./packaging/package-release.sh env: VERSION: ${{ github.ref_name }} - - name: Generate SLSA subjects - shell: bash - run: base64 -w0 dist/SHA256SUMS > dist/SHA256SUMS.base64 - - name: Upload SLSA subjects - id: slsa_subjects - uses: slsa-framework/slsa-github-generator/actions/generator/generic/create-base64-subjects-from-file@v2.1.0 - with: - path: dist/SHA256SUMS.base64 - name: Install Cosign uses: sigstore/cosign-installer@v4.1.0 - name: Sign checksums @@ -70,15 +61,3 @@ jobs: dist/SHA256SUMS dist/SHA256SUMS.sigstore.json dist/*_sbom.spdx.json - - provenance: - needs: release - permissions: - actions: read - contents: write - id-token: write - uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0 - with: - base64-subjects-as-file: ${{ needs.release.outputs.slsa_subjects_file }} - upload-assets: true - provenance-name: dbxcli_${{ needs.release.outputs.asset_version }}_slsa.intoto.jsonl diff --git a/CHANGELOG.md b/CHANGELOG.md index 6e20567..c0f1739 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -22,7 +22,7 @@ - Added scheduled/manual OSSF Scorecard scanning without public Scorecard API publishing. - Replaced standalone Staticcheck workflow steps with a narrow `golangci-lint` configuration. - Added explicit `go.sum` cache dependency paths for `actions/setup-go`. -- Added SBOM, Cosign signatures, and SLSA provenance to release artifacts. +- Added SBOM generation and Cosign signatures to release artifacts. - Added race detector, workflow linting, and CodeQL security scanning to CI. - Hardened CI workflows with explicit read-only permissions. - Generate a non-constant OAuth2 `state` value to resolve the CodeQL `go/constant-oauth2-state` alert.