Skip to content

Record attest provenance on merged commits#327

Merged
0xLeif merged 3 commits into
mainfrom
feat/attest-provenance
Jul 7, 2026
Merged

Record attest provenance on merged commits#327
0xLeif merged 3 commits into
mainfrom
feat/attest-provenance

Conversation

@0xLeif

@0xLeif 0xLeif commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

From the trust-tooling audit: spec-sync never ran attest, so its /trust/ attest pip was dark. Adds a dedicated main-only attest job (after test, fmt, audit, spec-check) that records a provenance attestation and pushes refs/notes/attest. Public Linux binary, checksum-verified, no token; additive and best-effort.

🤖 Generated with Claude Code
https://claude.ai/code/session_01ApSS1xj22zGwbUSkRs3mmE

Wires attest into CI so spec-sync builds a signed-provenance ledger and its
/trust/ attest pip lights (it was dark: spec-sync never ran attest). A dedicated
main-only job records an attestation after the gates (test, fmt, audit,
spec-check) pass and pushes refs/notes/attest. Public Linux binary, checksum-
verified, no token; additive and best-effort, so it can never fail CI.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01ApSS1xj22zGwbUSkRs3mmE
@0xLeif 0xLeif requested a review from a team as a code owner July 4, 2026 19:17
@0xLeif 0xLeif requested review from 0xGaspar, Kyntrin and tofu-ux July 4, 2026 19:17
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@cursor

cursor Bot commented Jul 4, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

github-actions[bot]
github-actions Bot previously approved these changes Jul 4, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Corvin says...

      _
    <(^\  .oO(Caw! ^v^)
     |/(\
      \(\\
      " "\\

"Caw! Your code sparkles like a dropped french fry."

CI Summary

Check Status
Validate action.yml ✅ Passed
Dependency Audit ✅ Passed
Code Coverage ✅ Passed
Format Check ✅ Passed
Docs Site ✅ Passed
Spec Validation ✅ Passed
Tests (build, test, clippy) ✅ Passed
VS Code Extension ✅ Passed
📋 Spec Validation Details

✅ SpecSync: Passed

Metric Value
Specs checked 60
Passed 60
Errors 0
Warnings 0
File coverage 100% (76/76)
LOC coverage 100% (38435/38435)

Generated by specsync · Run specsync check --format github to reproduce


Powered by corvid-pet

@Kyntrin Kyntrin left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The workflow addition is small and the PR checks are green, but I’m requesting one change before merge.

Requested change:

The new attest job records a proceed attestation after only test, fmt, audit, and spec-check complete. Existing CI also has validate-action, coverage, site, and vscode-extension jobs. On a push to main, any of those omitted jobs could fail while the attestation job still runs and pushes a successful provenance note for the commit. That makes the ledger stronger than the actual CI state.

Please include the full set of merge-gating CI jobs in needs before recording the attestation, or make the attestation note/verdict explicitly narrower so it cannot be read as “all CI passed.”

Non-blocking notes: the job’s best-effort behavior is implemented as advertised, and it correctly skips on PRs. Consider using actions/checkout@v5 for consistency with the rest of the workflow, but that is not a blocker.

Addresses review: the attest job recorded 'proceed' after only test/fmt/audit/
spec-check, so coverage, site, vscode-extension, or validate-action could fail on
a main push while the attestation still signed off. Depend on all gate jobs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01ApSS1xj22zGwbUSkRs3mmE
@cursor

cursor Bot commented Jul 6, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

github-actions[bot]
github-actions Bot previously approved these changes Jul 6, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Corvin says...

      _
    <(^\  .oO(Caw! ^v^)
     |/(\
      \(\\
      " "\\

"Caw! Found a shiny new spec!"

CI Summary

Check Status
Validate action.yml ✅ Passed
Dependency Audit ✅ Passed
Code Coverage ✅ Passed
Format Check ✅ Passed
Docs Site ✅ Passed
Spec Validation ✅ Passed
Tests (build, test, clippy) ✅ Passed
VS Code Extension ✅ Passed
📋 Spec Validation Details

✅ SpecSync: Passed

Metric Value
Specs checked 60
Passed 60
Errors 0
Warnings 0
File coverage 100% (76/76)
LOC coverage 100% (38435/38435)

Generated by specsync · Run specsync check --format github to reproduce


Powered by corvid-pet

Addresses Kyntrin's CHANGES_REQUESTED on #327:
- The attest job's `needs` already gates on all 8 merge-gating jobs
  (test, fmt, audit, coverage, site, vscode-extension, validate-action,
  spec-check) as of the prior commit, so a partial-CI failure can no longer
  record a "proceed" provenance note. Updated the now-stale --note text (it
  still read "cargo test + fmt + audit + spec-check green") to enumerate the
  full gate set so the ledger entry cannot be under- or mis-read.
- Bumped the attest job's actions/checkout@v4 -> v5 for consistency with the
  rest of the workflow (non-blocking nit).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@cursor

cursor Bot commented Jul 7, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@0xLeif

0xLeif commented Jul 7, 2026

Copy link
Copy Markdown
Contributor Author

@Kyntrin Addressed:

  • The attest job's needs now gates on the full merge-gating set — test, fmt, audit, coverage, site, vscode-extension, validate-action, spec-check — so a proceed note can no longer be recorded when any real check failed (done in 4fab4f4).
  • Follow-up 0288b34: updated the now-stale --note text (it still enumerated only test + fmt + audit + spec-check) to list the full gate set so the ledger entry can't be mis-read, and bumped the job's actions/checkout@v4v5 for consistency (your non-blocking note).

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❌ Corvin says...

      _
    <(;\  .oO(oh no...)
     |/(\
      \(\\
      " "\\

"Caw... validation failed..."

CI Summary

Check Status
Validate action.yml ✅ Passed
Dependency Audit ❌ failure
Code Coverage ✅ Passed
Format Check ✅ Passed
Docs Site ✅ Passed
Spec Validation ✅ Passed
Tests (build, test, clippy) ✅ Passed
VS Code Extension ✅ Passed
📋 Spec Validation Details

✅ SpecSync: Passed

Metric Value
Specs checked 60
Passed 60
Errors 0
Warnings 0
File coverage 100% (76/76)
LOC coverage 100% (38435/38435)

Generated by specsync · Run specsync check --format github to reproduce


Powered by corvid-pet

@github-actions github-actions Bot dismissed their stale review July 7, 2026 01:20

Superseded by updated review.

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Corvin says...

      _
    <(^\  .oO(Caw! ^v^)
     |/(\
      \(\\
      " "\\

"That's a nice looking export you've got there."

CI Summary

Check Status
Validate action.yml ✅ Passed
Dependency Audit ✅ Passed
Code Coverage ✅ Passed
Format Check ✅ Passed
Docs Site ✅ Passed
Spec Validation ✅ Passed
Tests (build, test, clippy) ✅ Passed
VS Code Extension ✅ Passed
📋 Spec Validation Details

✅ SpecSync: Passed

Metric Value
Specs checked 60
Passed 60
Errors 0
Warnings 0
File coverage 100% (76/76)
LOC coverage 100% (38435/38435)

Generated by specsync · Run specsync check --format github to reproduce


Powered by corvid-pet

@0xLeif 0xLeif merged commit d184f51 into main Jul 7, 2026
28 of 29 checks passed
@0xLeif 0xLeif deleted the feat/attest-provenance branch July 7, 2026 01:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants