Slipstream/auto_review
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases 27 Packages Activity Actions

feat(release): publish Linux binary artifacts #137

Merged
jwilger merged 3 commits from issue-121-linux-binary-provenance into main 2026-05-07 14:43:33 -07:00
Conversation 3 Commits 3 Files changed 5 +578 -15
jwilger commented 2026-05-07 13:59:05 -07:00
Owner
Copy link

Summary

  • Publish Linux x86_64 and aarch64 auto-review binary archives as Forgejo Release assets alongside Docker image information.
  • Generate SHA-256 checksums, SSH signatures, SPDX SBOM, SLSA-style provenance, and release-note verification commands.
  • Update release publish guardrails, pinned tooling, operator docs, and threat model for binary assets and the aarch64 builder trust boundary.

Verification

  • bash tests/release_tooling_test.sh
  • nix flake check

Closes #121

## Summary - Publish Linux x86_64 and aarch64 auto-review binary archives as Forgejo Release assets alongside Docker image information. - Generate SHA-256 checksums, SSH signatures, SPDX SBOM, SLSA-style provenance, and release-note verification commands. - Update release publish guardrails, pinned tooling, operator docs, and threat model for binary assets and the aarch64 builder trust boundary. ## Verification - bash tests/release_tooling_test.sh - nix flake check Closes #121
feat(release): publish Linux binary artifacts
All checks were successful
CI / Nix flake check (pull_request) Successful in 3m22s
Details
CI / auto_review semantic review (pull_request) Successful in 1s
Details
auto_review auto_review: 1 warning
9e8c4589d2
 
Add Forgejo release assets for Linux x86_64 and aarch64 auto-review binaries with checksums, SSH signatures, SBOM/provenance metadata, and operator verification instructions.
auto-review approved these changes 2026-05-07 14:03:17 -07:00
Dismissed
auto-review left a comment
Copy link

This PR introduces the publication of Linux binary artifacts as Forgejo Release assets, including checksums, signatures, and metadata. The changes appear well-structured and include necessary updates to documentation and threat models. The PR seems safe to merge, with minor notes on ensuring secure execution of build and verification steps.

Walkthrough

  • .forgejo/workflows/release-publish.yml:
    • Adds steps to build and verify Linux binary release artifacts for x86_64 and aarch64 architectures.
    • Includes generation of SHA-256 checksums, SSH signatures, SPDX SBOM, and SLSA-style provenance.
    • Updates the release notes to include verification commands for the binary artifacts.
  • docs/OPERATIONS.md and docs/THREAT-MODEL.md:
    • Updated to reflect the new release process, including the handling of binary artifacts and the associated security considerations.
  • flake.nix:
    • Adds openssh to the list of dependencies, likely for handling SSH signatures.
  • tests/release_tooling_test.sh:
    • Adds tests to ensure the release workflow attaches binary archives, checksums, signatures, and provenance metadata.
    • Verifies that generated binary artifacts are checked before release upload.
This PR introduces the publication of Linux binary artifacts as Forgejo Release assets, including checksums, signatures, and metadata. The changes appear well-structured and include necessary updates to documentation and threat models. The PR seems safe to merge, with minor notes on ensuring secure execution of build and verification steps. ## Walkthrough - **.forgejo/workflows/release-publish.yml**: - Adds steps to build and verify Linux binary release artifacts for x86_64 and aarch64 architectures. - Includes generation of SHA-256 checksums, SSH signatures, SPDX SBOM, and SLSA-style provenance. - Updates the release notes to include verification commands for the binary artifacts. - **docs/OPERATIONS.md** and **docs/THREAT-MODEL.md**: - Updated to reflect the new release process, including the handling of binary artifacts and the associated security considerations. - **flake.nix**: - Adds `openssh` to the list of dependencies, likely for handling SSH signatures. - **tests/release_tooling_test.sh**: - Adds tests to ensure the release workflow attaches binary archives, checksums, signatures, and provenance metadata. - Verifies that generated binary artifacts are checked before release upload.
.forgejo/workflows/release-publish.yml Outdated
@ -102,6 +104,154 @@ jobs:
RELEASE_CANDIDATE_SHA="$(git rev-parse "$RELEASE_MERGE_SHA^2")"
auto-review commented 2026-05-07 14:03:17 -07:00
Owner
Copy link

🟡 Warning: Ensure that the ssh-keygen commands are executed in a secure manner, especially when handling sensitive keys and signatures.

🟡 **Warning:** Ensure that the `ssh-keygen` commands are executed in a secure manner, especially when handling sensitive keys and signatures.
jwilger commented 2026-05-07 14:16:15 -07:00
Author
Owner
Copy link

Reflection: this was a security guardrail gap in the release-tooling contract tests—the workflow already used chmod 600, but the tests did not require private tempdir creation or failure-path cleanup for key material.

Remediated in 6cbc467: the publish workflow now sets umask 077, writes RELEASE_SIGNING_KEY under a private mktemp -d directory, installs trap 'rm -rf "$signing_dir"' EXIT before signing, and keeps private key material out of release-artifacts. I also added a release tooling contract test for this handling.

Verification: bash tests/release_tooling_test.sh passes.

Reflection: this was a security guardrail gap in the release-tooling contract tests—the workflow already used `chmod 600`, but the tests did not require private tempdir creation or failure-path cleanup for key material. Remediated in `6cbc467`: the publish workflow now sets `umask 077`, writes `RELEASE_SIGNING_KEY` under a private `mktemp -d` directory, installs `trap 'rm -rf "$signing_dir"' EXIT` before signing, and keeps private key material out of `release-artifacts`. I also added a release tooling contract test for this handling. Verification: `bash tests/release_tooling_test.sh` passes.
jwilger marked this conversation as resolved
fix(release): isolate signing key material
All checks were successful
CI / Nix flake check (pull_request) Successful in 3m22s
Details
CI / auto_review semantic review (pull_request) Successful in 1s
Details
auto_review auto_review: 1 warning
6cbc467152
 
Handle the release signing key in a private temporary directory with restrictive permissions and trap cleanup so failed publish runs do not leave key material behind.
jwilger dismissed auto-review's review 2026-05-07 14:15:53 -07:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

auto-review approved these changes 2026-05-07 14:19:58 -07:00
Dismissed
auto-review left a comment
Copy link

This PR enhances the release process by publishing Linux binary artifacts and improving security measures for handling signing keys. The changes appear well-structured and safe to merge.

Walkthrough

Δ since 9e8c458:

  • Security Enhancements:
    • The release workflow now creates a private temporary directory for signing keys, improving security by ensuring keys are not exposed.
    • A trap command is added to clean up the temporary directory, preventing potential security risks from leftover files.
  • Testing Improvements:
    • A new test ensures the release workflow handles signing keys securely, checking for proper directory creation, key storage, and cleanup.
This PR enhances the release process by publishing Linux binary artifacts and improving security measures for handling signing keys. The changes appear well-structured and safe to merge. ## Walkthrough ### Δ since 9e8c458: - **Security Enhancements**: - The release workflow now creates a private temporary directory for signing keys, improving security by ensuring keys are not exposed. - A `trap` command is added to clean up the temporary directory, preventing potential security risks from leftover files. - **Testing Improvements**: - A new test ensures the release workflow handles signing keys securely, checking for proper directory creation, key storage, and cleanup.
.forgejo/workflows/release-publish.yml
auto-review commented 2026-05-07 14:19:58 -07:00
Owner
Copy link

🟡 Warning: Ensure that the trap command is correctly set to clean up the temporary directory even if the script exits unexpectedly. This is crucial for security and resource management.

🟡 **Warning:** Ensure that the `trap` command is correctly set to clean up the temporary directory even if the script exits unexpectedly. This is crucial for security and resource management.
jwilger commented 2026-05-07 14:34:51 -07:00
Author
Owner
Copy link

Reflection: this was a missing security-test pressure gap in the release tooling contract. The previous guardrail required an EXIT cleanup trap before signing but did not require interrupt/termination cleanup coverage.

Remediated in fb61618: the workflow cleanup trap now covers EXIT TERM INT before the signing key is written or used, and the release tooling test now requires each of those signals to be covered before any signing command.

Verification: bash tests/release_tooling_test.sh passes.

Reflection: this was a missing security-test pressure gap in the release tooling contract. The previous guardrail required an `EXIT` cleanup trap before signing but did not require interrupt/termination cleanup coverage. Remediated in `fb61618`: the workflow cleanup trap now covers `EXIT TERM INT` before the signing key is written or used, and the release tooling test now requires each of those signals to be covered before any signing command. Verification: `bash tests/release_tooling_test.sh` passes.
jwilger marked this conversation as resolved
fix(release): clean signing tempdir on signals
All checks were successful
CI / Nix flake check (pull_request) Successful in 3m26s
Details
CI / auto_review semantic review (pull_request) Successful in 1s
Details
auto_review auto_review: no findings
Publish release / release-publish (pull_request) Has been skipped
Details
fb61618434
jwilger dismissed auto-review's review 2026-05-07 14:34:31 -07:00
Reason:

New commits pushed, approval review dismissed automatically according to repository settings

auto-review approved these changes 2026-05-07 14:38:48 -07:00
auto-review left a comment
Copy link

The PR enhances the release process by adding Linux binary artifacts and improving the cleanup mechanism in the release workflow. The changes appear safe to merge, with minor notes on ensuring comprehensive signal handling in traps.

The PR enhances the release process by adding Linux binary artifacts and improving the cleanup mechanism in the release workflow. The changes appear safe to merge, with minor notes on ensuring comprehensive signal handling in traps.
Sign in to join this conversation.
Reviewers
No reviewers
auto-review
Labels
Clear labels   
bug

   
discussion

   
enhancement
  
bug
Something is not working

  
duplicate
This issue or pull request already exists

  
enhancement
New feature

  
help wanted
Need some help

  
invalid
Something is wrong

  
question
More information is needed

  
wontfix
This won't be fixed

No labels
bug
discussion
enhancement
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
Slipstream/auto_review!137
No description provided.