Skip to content

Immutable releases are incompatible with the attest-release upload step #35

Description

@zircote

Problem

The attested-delivery release flow publishes a GitHub Release, then the attest
workflow uploads the SLSA-attested artifact to that release as an asset. GitHub
immutable releases reject any post-publish asset upload
(HTTP 422: Cannot upload assets to an immutable release), so the attest job
fails. Worse, an immutable release permanently binds its tag: after deleting
the release, the tag cannot be reused
(tag_name was used by an immutable release), which forces a version bump to
re-cut.

This surfaced while cutting releases on two repos:

  • research-harness-template: v0.8.0 attest failed at the upload step; the
    v0.8.0 tag was burned and the release had to be re-cut as v0.8.1.
  • ontologies: v0.2.0 was burned the same way and re-cut as v0.2.1.

Immutable releases are disabled on both repos for now as a workaround.

Follow-up / decision

Pick one org posture and apply it consistently across every attested-delivery repo:

  • Option A (current workaround): keep immutable releases OFF for attested
    repos. Simple, but it gives up the tamper-evidence immutable releases provide.
  • Option B (recommended): make the release workflow compatible with immutable
    releases by creating the release WITH the attested artifact in a single step
    (build then attest then create-release-with-asset), instead of
    publish-then-upload. Then immutable releases can stay ON and the attestation
    still attaches.

If Option B is chosen, update the reusable attest workflow and the repo-local
research-harness-template / ontologies release.yml, then re-enable immutable
releases org-wide.

Affected

All attested-delivery repos share this release pattern; it surfaced on
research-harness-template and ontologies.

Metadata

Metadata

Assignees

No one assigned

    Labels

    priority: mediumImportant but can be scheduled for upcoming worktype: bugSomething is not working as expected

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions