Record attest provenance on merged commits#327
Conversation
Wires attest into CI so spec-sync builds a signed-provenance ledger and its /trust/ attest pip lights (it was dark: spec-sync never ran attest). A dedicated main-only job records an attestation after the gates (test, fmt, audit, spec-check) pass and pushes refs/notes/attest. Public Linux binary, checksum- verified, no token; additive and best-effort, so it can never fail CI. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01ApSS1xj22zGwbUSkRs3mmE
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
There was a problem hiding this comment.
✅ Corvin says...
_
<(^\ .oO(Caw! ^v^)
|/(\
\(\\
" "\\
"Caw! Your code sparkles like a dropped french fry."
CI Summary
| Check | Status |
|---|---|
| Validate action.yml | ✅ Passed |
| Dependency Audit | ✅ Passed |
| Code Coverage | ✅ Passed |
| Format Check | ✅ Passed |
| Docs Site | ✅ Passed |
| Spec Validation | ✅ Passed |
| Tests (build, test, clippy) | ✅ Passed |
| VS Code Extension | ✅ Passed |
📋 Spec Validation Details
✅ SpecSync: Passed
| Metric | Value |
|---|---|
| Specs checked | 60 |
| Passed | 60 |
| Errors | 0 |
| Warnings | 0 |
| File coverage | 100% (76/76) |
| LOC coverage | 100% (38435/38435) |
Generated by specsync · Run specsync check --format github to reproduce
Powered by corvid-pet
Kyntrin
left a comment
There was a problem hiding this comment.
The workflow addition is small and the PR checks are green, but I’m requesting one change before merge.
Requested change:
The new attest job records a proceed attestation after only test, fmt, audit, and spec-check complete. Existing CI also has validate-action, coverage, site, and vscode-extension jobs. On a push to main, any of those omitted jobs could fail while the attestation job still runs and pushes a successful provenance note for the commit. That makes the ledger stronger than the actual CI state.
Please include the full set of merge-gating CI jobs in needs before recording the attestation, or make the attestation note/verdict explicitly narrower so it cannot be read as “all CI passed.”
Non-blocking notes: the job’s best-effort behavior is implemented as advertised, and it correctly skips on PRs. Consider using actions/checkout@v5 for consistency with the rest of the workflow, but that is not a blocker.
Addresses review: the attest job recorded 'proceed' after only test/fmt/audit/ spec-check, so coverage, site, vscode-extension, or validate-action could fail on a main push while the attestation still signed off. Depend on all gate jobs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01ApSS1xj22zGwbUSkRs3mmE
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
There was a problem hiding this comment.
✅ Corvin says...
_
<(^\ .oO(Caw! ^v^)
|/(\
\(\\
" "\\
"Caw! Found a shiny new spec!"
CI Summary
| Check | Status |
|---|---|
| Validate action.yml | ✅ Passed |
| Dependency Audit | ✅ Passed |
| Code Coverage | ✅ Passed |
| Format Check | ✅ Passed |
| Docs Site | ✅ Passed |
| Spec Validation | ✅ Passed |
| Tests (build, test, clippy) | ✅ Passed |
| VS Code Extension | ✅ Passed |
📋 Spec Validation Details
✅ SpecSync: Passed
| Metric | Value |
|---|---|
| Specs checked | 60 |
| Passed | 60 |
| Errors | 0 |
| Warnings | 0 |
| File coverage | 100% (76/76) |
| LOC coverage | 100% (38435/38435) |
Generated by specsync · Run specsync check --format github to reproduce
Powered by corvid-pet
Addresses Kyntrin's CHANGES_REQUESTED on #327: - The attest job's `needs` already gates on all 8 merge-gating jobs (test, fmt, audit, coverage, site, vscode-extension, validate-action, spec-check) as of the prior commit, so a partial-CI failure can no longer record a "proceed" provenance note. Updated the now-stale --note text (it still read "cargo test + fmt + audit + spec-check green") to enumerate the full gate set so the ledger entry cannot be under- or mis-read. - Bumped the attest job's actions/checkout@v4 -> v5 for consistency with the rest of the workflow (non-blocking nit). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
|
@Kyntrin Addressed:
|
There was a problem hiding this comment.
❌ Corvin says...
_
<(;\ .oO(oh no...)
|/(\
\(\\
" "\\
"Caw... validation failed..."
CI Summary
| Check | Status |
|---|---|
| Validate action.yml | ✅ Passed |
| Dependency Audit | ❌ failure |
| Code Coverage | ✅ Passed |
| Format Check | ✅ Passed |
| Docs Site | ✅ Passed |
| Spec Validation | ✅ Passed |
| Tests (build, test, clippy) | ✅ Passed |
| VS Code Extension | ✅ Passed |
📋 Spec Validation Details
✅ SpecSync: Passed
| Metric | Value |
|---|---|
| Specs checked | 60 |
| Passed | 60 |
| Errors | 0 |
| Warnings | 0 |
| File coverage | 100% (76/76) |
| LOC coverage | 100% (38435/38435) |
Generated by specsync · Run specsync check --format github to reproduce
Powered by corvid-pet
There was a problem hiding this comment.
✅ Corvin says...
_
<(^\ .oO(Caw! ^v^)
|/(\
\(\\
" "\\
"That's a nice looking export you've got there."
CI Summary
| Check | Status |
|---|---|
| Validate action.yml | ✅ Passed |
| Dependency Audit | ✅ Passed |
| Code Coverage | ✅ Passed |
| Format Check | ✅ Passed |
| Docs Site | ✅ Passed |
| Spec Validation | ✅ Passed |
| Tests (build, test, clippy) | ✅ Passed |
| VS Code Extension | ✅ Passed |
📋 Spec Validation Details
✅ SpecSync: Passed
| Metric | Value |
|---|---|
| Specs checked | 60 |
| Passed | 60 |
| Errors | 0 |
| Warnings | 0 |
| File coverage | 100% (76/76) |
| LOC coverage | 100% (38435/38435) |
Generated by specsync · Run specsync check --format github to reproduce
Powered by corvid-pet
From the trust-tooling audit: spec-sync never ran attest, so its /trust/ attest pip was dark. Adds a dedicated main-only
attestjob (after test, fmt, audit, spec-check) that records a provenance attestation and pushesrefs/notes/attest. Public Linux binary, checksum-verified, no token; additive and best-effort.🤖 Generated with Claude Code
https://claude.ai/code/session_01ApSS1xj22zGwbUSkRs3mmE