Skip to content

fix: export .intoto.jsonl provenance for OpenSSF Scorecard#456

Merged
Aureliolo merged 2 commits intomainfrom
fix/scorecard-provenance-intoto
Mar 15, 2026
Merged

fix: export .intoto.jsonl provenance for OpenSSF Scorecard#456
Aureliolo merged 2 commits intomainfrom
fix/scorecard-provenance-intoto

Conversation

@Aureliolo
Copy link
Copy Markdown
Owner

@Aureliolo Aureliolo commented Mar 15, 2026

Summary

  • Extract DSSE envelope from the Sigstore bundle and upload as checksums.txt.intoto.jsonl alongside the existing .sigstore.json release asset
  • Scorecard's Signed-Releases check classifies .sigstore.json as a signature but not as provenance — .intoto.jsonl is the filename pattern it recognizes for SLSA provenance

Context

OpenSSF Scorecard warns "release artifact does not have provenance" for v0.2.4 even though SLSA L3 attestations exist in GitHub's attestation store. The root cause is that Scorecard looks for .intoto.jsonl files in release assets for provenance detection, while our .sigstore.json bundle (which contains the same SLSA provenance data) is only recognized as a signature artifact.

Changes

.github/workflows/cli.yml — Added jq -c '.dsseEnvelope' extraction step in the existing "Upload provenance bundle to release" step to produce checksums.txt.intoto.jsonl and upload it as a release asset.

Test plan

  • Verify jq is available on ubuntu-latest runners (pre-installed)
  • Next tag push (v0.2.5+) should produce both .sigstore.json and .intoto.jsonl release assets
  • Subsequent Scorecard run should show provenance recognized for the new release

🤖 Generated with Claude Code

@Aureliolo
fix: export .intoto.jsonl provenance for OpenSSF Scorecard
675e2fb 
Scorecard's Signed-Releases check classifies .sigstore.json as a
signature artifact but not as provenance. Extract the DSSE envelope
from the Sigstore bundle and upload it as checksums.txt.intoto.jsonl,
which Scorecard recognises as SLSA provenance.
@gemini-code-assist
Copy link
Copy Markdown
Contributor

gemini-code-assist bot commented Mar 15, 2026

Note

Gemini is unable to generate a summary for this pull request due to the file types involved not being currently supported.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 15, 2026
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

@coderabbitai
Copy link
Copy Markdown

coderabbitai bot commented Mar 15, 2026
edited
Loading

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d5111eaf-d0dd-4c5c-b83e-ebb852323dd2

📥 Commits

Reviewing files that changed from the base of the PR and between 675e2fb and 762a151.

📒 Files selected for processing (1)
  • .github/workflows/cli.yml
📝 Walkthrough

Summary by CodeRabbit

  • New Features
    • Release uploads now include an additional attestation (DSSE) alongside the existing signature, improving provenance visibility for CLI releases and enhancing release verification for supply-chain security.

Walkthrough

The CLI release workflow now extracts the DSSE envelope from an attestation bundle into cli/dist/checksums.txt.intoto.jsonl and updates the release asset upload to include both cli/dist/checksums.txt.sigstore.json and cli/dist/checksums.txt.intoto.jsonl.

Changes

Cohort / File(s) Summary
CLI Release Workflow
.github/workflows/cli.yml		 Added a jq-based step to extract the DSSE envelope into cli/dist/checksums.txt.intoto.jsonl after copying the attestation bundle; updated the release upload to include both cli/dist/checksums.txt.sigstore.json and cli/dist/checksums.txt.intoto.jsonl.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly and concisely describes the main change: exporting .intoto.jsonl provenance for OpenSSF Scorecard compatibility, which matches the primary objective of the changeset.
Description check ✅ Passed The description is directly related to the changeset, providing clear context about why the change is needed (Scorecard provenance detection), what was changed (jq extraction step), and how to verify it works.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/scorecard-provenance-intoto
✨ Simplify code
  • Create PR with simplified code
  • Commit simplified code in branch fix/scorecard-provenance-intoto
📝 Coding Plan
  • Generate coding plan for human review comments

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 15, 2026
View reviewed changes
Copy link
Copy Markdown

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/cli.yml:
- Line 342: The jq extraction of .dsseEnvelope from "$BUNDLE" should fail fast
if the key is missing or null; change the call that writes to
cli/dist/checksums.txt.intoto.jsonl to use jq -e -c '.dsseEnvelope' "$BUNDLE"
and ensure the workflow exits non‑zero when jq returns a non‑truthy value (so
the upload step won't run with a null/invalid checksums.txt.intoto.jsonl);
reference the existing jq invocation and the $BUNDLE variable and the output
path cli/dist/checksums.txt.intoto.jsonl to locate and update the command.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: dfa97048-c840-4444-8029-26ecf33bd07e

📥 Commits

Reviewing files that changed from the base of the PR and between f60746a and 675e2fb.

📒 Files selected for processing (1)
  • .github/workflows/cli.yml
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
  • GitHub Check: Analyze (python)
🧰 Additional context used
🧠 Learnings (2)
📓 Common learnings 
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Applies to .github/workflows/docker.yml : CI Docker: build → scan → push to GHCR + cosign sign + SLSA L3 provenance via attest-build-provenance (images only pushed after Trivy/Grype scans pass).
📚 Learning: 2026-03-15T11:48:14.867Z 
Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Applies to .github/workflows/docker.yml : CI Docker: build → scan → push to GHCR + cosign sign + SLSA L3 provenance via attest-build-provenance (images only pushed after Trivy/Grype scans pass).

Applied to files:

  • .github/workflows/cli.yml
🔇 Additional comments (1)
.github/workflows/cli.yml (1)

345-346: Good release-asset expansion for Scorecard compatibility.

Uploading both .sigstore.json and .intoto.jsonl is the right direction for downstream provenance detection tooling.

@Aureliolo
fix: fail fast if DSSE envelope missing from attestation bundle
762a151 
Add -e flag to jq so the step exits non-zero if .dsseEnvelope is
null or absent, preventing upload of an invalid .intoto.jsonl to
an immutable release.
@Aureliolo Aureliolo merged commit 2feed09 into main Mar 15, 2026
30 of 31 checks passed
@Aureliolo Aureliolo deleted the fix/scorecard-provenance-intoto branch March 15, 2026 18:25
@Aureliolo Aureliolo mentioned this pull request Mar 15, 2026
Merged
Aureliolo added a commit that referenced this pull request Mar 15, 2026
@Aureliolo
chore(main): release 0.2.5 (#447)
24a0d7a 
🤖 I have created a release *beep* *boop*
---


##
[0.2.5](v0.2.4...v0.2.5)
(2026-03-15)


### Features

* default sandbox to enabled, polish CLI output, add sandbox CI build
([#455](#455))
([a4869b6](a4869b6))


### Bug Fixes

* export .intoto.jsonl provenance for OpenSSF Scorecard
([#456](#456))
([2feed09](2feed09))


### Maintenance

* add pyrightconfig.json and fix all pyright errors
([#448](#448))
([f60746a](f60746a))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).
@Aureliolo Aureliolo mentioned this pull request Mar 15, 2026
Closed
@coderabbitai coderabbitai bot mentioned this pull request Mar 15, 2026
Closed
2 tasks
@Aureliolo Aureliolo mentioned this pull request Mar 15, 2026
Closed
This was referenced Mar 16, 2026
Closed
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Aureliolo