Skip to content

feat(ci): add author verification workflow on merge to main#2925

Merged
migmartri merged 2 commits into
chainloop-dev:mainfrom
migmartri:feat/author-verification-workflow
Mar 23, 2026
Merged

feat(ci): add author verification workflow on merge to main#2925
migmartri merged 2 commits into
chainloop-dev:mainfrom
migmartri:feat/author-verification-workflow

Conversation

@migmartri

Copy link
Copy Markdown
Member

Summary

  • Add a dedicated GitHub Actions workflow and Chainloop contract for commit author and signature verification on every merge to main
  • The workflow performs a lightweight attestation with no build steps, enforcing the source-commit policy with check_signature and check_author_verified enabled
  • Contract is automatically synced by the existing sync_contracts.yml workflow

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 issue found across 2 files

Prompt for AI agents (unresolved issues)

Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.


<file name=".github/workflows/author_verification.yml">

<violation number="1" location=".github/workflows/author_verification.yml:7">
P2: Avoid `id-token: write` at workflow scope. Keep workflow permissions empty (or read-only defaults) and grant OIDC only at the `verify` job level.

(Based on your team's feedback about GitHub Actions permission scoping.) [FEEDBACK_USED]</violation>
</file>

Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.

Comment thread .github/workflows/author_verification.yml Outdated
Add a dedicated workflow and contract that performs commit author and
signature verification via Chainloop attestation on every merge to main.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
Keep workflow-level permissions minimal; id-token:write is already
granted at the job level where it's needed.

Signed-off-by: Miguel Martinez Trivino <miguel@chainloop.dev>
@migmartri migmartri force-pushed the feat/author-verification-workflow branch from df04fbe to 80f429a Compare March 23, 2026 11:05
@migmartri migmartri merged commit d923f28 into chainloop-dev:main Mar 23, 2026
14 checks passed
@migmartri migmartri deleted the feat/author-verification-workflow branch March 23, 2026 11:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants