Skip to content

ci: fix release provenance subject#131

Merged
jmcte merged 3 commits into
mainfrom
codex/fix-release-provenance-subject
May 31, 2026
Merged

ci: fix release provenance subject#131
jmcte merged 3 commits into
mainfrom
codex/fix-release-provenance-subject

Conversation

@pheidon
Copy link
Copy Markdown
Contributor

@pheidon pheidon commented May 31, 2026

Summary

  • emit a separate untagged image repository output from release metadata
  • use that repository name as the SLSA provenance subject while keeping tagged refs for build and runtime checks
  • cover the provenance subject wiring in the release workflow test

Validation

  • corepack pnpm vitest run test/release-workflow.test.ts
  • corepack pnpm test
  • corepack pnpm build

Context

The v0.2.1 release image workflow builds and pushes successfully, but actions/attest-build-provenance@v3 rejects tagged image refs as subject-name with Invalid image name: ghcr.io/omt-global/github-runner-fleet:0.2.1. This keeps the final release verification from completing even though the image itself contains GitHub Actions runner 2.334.0.

@pheidon pheidon marked this pull request as ready for review May 31, 2026 21:23
@pheidon pheidon requested a review from jmcte as a code owner May 31, 2026 21:23
@jmcte jmcte enabled auto-merge (squash) May 31, 2026 21:24
@jmcte jmcte merged commit 6f17ad1 into main May 31, 2026
22 of 24 checks passed
@jmcte jmcte deleted the codex/fix-release-provenance-subject branch May 31, 2026 21:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmcte jmcte jmcte approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pheidon @jmcte