Skip to content

fix: remove SLSA provenance and draft release flow#17

Merged
azu merged 1 commit intomainfrom
fix/slsa-provenance-ref
Mar 31, 2026
Merged

fix: remove SLSA provenance and draft release flow#17
azu merged 1 commit intomainfrom
fix/slsa-provenance-ref

Conversation

@azu
Copy link
Copy Markdown
Owner

@azu azu commented Mar 31, 2026
edited by devin-ai-integration Bot
Loading

Summary

Remove SLSA provenance generation and draft-then-publish release flow from the release workflow. This simplifies the release pipeline by publishing releases directly via GoReleaser instead of creating draft releases with SLSA attestation.

Changes

  • Remove provenance job that generated SLSA v2.1.0 attestations using slsa-github-generator
  • Remove publish-release job that promoted draft releases to published
  • Remove hashes output from release job (no longer needed without provenance)
  • Remove release.draft: true from .goreleaser.yml so releases are published immediately

Breaking Changes

  • SLSA provenance attestations will no longer be generated for releases
  • Release assets will no longer include provenance files

Test Plan

  • Verify the release workflow triggers correctly when a release PR is merged
  • Confirm GoReleaser publishes the release directly (not as draft)
  • Verify release assets are uploaded correctly without provenance files
Open with Devin

@azu @claude
fix: remove SLSA provenance and draft release flow
6393aca 
SLSA provenance doesn't work with pull_request event triggers
(OIDC token restrictions) and slsa-github-generator requires tag
refs which conflicts with SHA pinning. goreleaser now publishes
releases directly instead of as drafts.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
devin-ai-integration[bot]
devin-ai-integration Bot reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Devin Review: No Issues Found

Devin Review analyzed this PR and found no potential bugs to report.

View in Devin Review to see 2 additional findings.

Open in Devin Review

@azu azu added the Type: CI Changes to CI configuration files and scripts label Mar 31, 2026
@azu azu merged commit 85b69e4 into main Mar 31, 2026
3 checks passed
@azu azu deleted the fix/slsa-provenance-ref branch March 31, 2026 13:43
@github-actions github-actions Bot mentioned this pull request Mar 31, 2026
Merged
azu pushed a commit that referenced this pull request Mar 31, 2026
@github-actions
Release v1.0.3 (#18)
a9fea93 
<!-- Release notes generated using configuration in .github/release.yml
at main -->

## What's Changed
### CI
* fix: remove SLSA provenance and draft release flow by @azu in
#17


**Full Changelog**:
v1.0.2...v1.0.3

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@devin-ai-integration devin-ai-integration[bot] devin-ai-integration[bot] left review comments

Assignees

No one assigned

Labels

Type: CI Changes to CI configuration files and scripts

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@azu