Problem
The attested-delivery release flow publishes a GitHub Release, then the attest
workflow uploads the SLSA-attested artifact to that release as an asset. GitHub
immutable releases reject any post-publish asset upload
(HTTP 422: Cannot upload assets to an immutable release), so the attest job
fails. Worse, an immutable release permanently binds its tag: after deleting
the release, the tag cannot be reused
(tag_name was used by an immutable release), which forces a version bump to
re-cut.
This surfaced while cutting releases on two repos:
- research-harness-template: v0.8.0 attest failed at the upload step; the
v0.8.0 tag was burned and the release had to be re-cut as v0.8.1.
- ontologies: v0.2.0 was burned the same way and re-cut as v0.2.1.
Immutable releases are disabled on both repos for now as a workaround.
Follow-up / decision
Pick one org posture and apply it consistently across every attested-delivery repo:
- Option A (current workaround): keep immutable releases OFF for attested
repos. Simple, but it gives up the tamper-evidence immutable releases provide.
- Option B (recommended): make the release workflow compatible with immutable
releases by creating the release WITH the attested artifact in a single step
(build then attest then create-release-with-asset), instead of
publish-then-upload. Then immutable releases can stay ON and the attestation
still attaches.
If Option B is chosen, update the reusable attest workflow and the repo-local
research-harness-template / ontologies release.yml, then re-enable immutable
releases org-wide.
Affected
All attested-delivery repos share this release pattern; it surfaced on
research-harness-template and ontologies.
Problem
The attested-delivery release flow publishes a GitHub Release, then the attest
workflow uploads the SLSA-attested artifact to that release as an asset. GitHub
immutable releases reject any post-publish asset upload
(
HTTP 422: Cannot upload assets to an immutable release), so the attest jobfails. Worse, an immutable release permanently binds its tag: after deleting
the release, the tag cannot be reused
(
tag_name was used by an immutable release), which forces a version bump tore-cut.
This surfaced while cutting releases on two repos:
v0.8.0 tag was burned and the release had to be re-cut as v0.8.1.
Immutable releases are disabled on both repos for now as a workaround.
Follow-up / decision
Pick one org posture and apply it consistently across every attested-delivery repo:
repos. Simple, but it gives up the tamper-evidence immutable releases provide.
releases by creating the release WITH the attested artifact in a single step
(build then attest then create-release-with-asset), instead of
publish-then-upload. Then immutable releases can stay ON and the attestation
still attaches.
If Option B is chosen, update the reusable attest workflow and the repo-local
research-harness-template/ontologiesrelease.yml, then re-enable immutablereleases org-wide.
Affected
All attested-delivery repos share this release pattern; it surfaced on
research-harness-template and ontologies.