Publish attestation as release artifact

[austinvazquez]

Followup to #10543 (review) to attest artifacts prior to creating the release. This also should address containerd project's signed releases action item in CNCF CLO monitor Reference: containerd CLO monitor, scorecard checks doc

This allows the attestation to be published with the release artifacts. The trade-off is if create release were to fail (potentially due to GitHub outage), then artifacts have already been attested and published to GitHub attestations. This should be an acceptable trade-off as maintainers with write access can manually upload the containerd tarballs to GitHub or roll forward release.

Tested in fork, see https://github.com/austinvazquez/containerd/actions/runs/12002403717

[dmcgowan]

manually upload the artifacts

Where to manually upload them to? Anything we can do for the 2.0.0 release as well after the fact to get them to show up?

[austinvazquez]

Where to manually upload them to?

Manually upload the containerd tarballs to GitHub. The case I was attempting to think through was we attest the artifacts but are unable to publish the release. It is probably unlikely but wanted to think through if this change adds any complexity to release.

Anything we can do for the 2.0.0 release as well after the fact to get them to show up?

Let me look into this. We have the attestation on GitHub so I can write a quick one time workflow to pull the 2.0 artifacts, attest, and manually upload the attestation as a build artifact. (Assuming attestations are reproducible; which should be easy to verify)

[samuelkarp]

Looking at https://github.com/austinvazquez/containerd/releases/tag/vnightly-11.24.24-1, gh attestation verify still works even with the files moved:

$ gh attestation verify containerd-nightly-11.24.24-1-linux-amd64.tar.gz --repo austinvazquez/containerd
Loaded digest sha256:5a5582321b02449147191bc2cca75eed95a16d8a2b7001eae69720e2c0118d3f for file://containerd-nightly-11.24.24-1-linux-amd64.tar.gz
Loaded 1 attestation from GitHub API
✓ Verification succeeded!

sha256:5a5582321b02449147191bc2cca75eed95a16d8a2b7001eae69720e2c0118d3f was attested by:
REPO                      PREDICATE_TYPE                  WORKFLOW                                                   
austinvazquez/containerd  https://slsa.dev/provenance/v1  .github/workflows/release.yml@refs/tags/vnightly-11.24.24-1

Nice!

[dmcgowan]

Let's try it out for the next release

[austinvazquez]

Anything we can do for the 2.0.0 release as well after the fact to get them to show up?

@dmcgowan, I tried creating a workflow to pull the 2.0 artifacts and re-attest. TIL the attestation has some metadata which wouldn't be reproduced (i.e. the workflow, created timestamp, etc.) We can download the attestation for an individual release artifact. gh attestation download <path-to-artifact> --repo containerd/containerd, but nothing yet on how to reproduce the attestation have now.

[austinvazquez]

/cherry-pick release/2.0

[k8s-infra-cherrypick-robot]

@austinvazquez: only containerd org members may request cherry picks. If you are already part of the org, make sure to change your membership to public. Otherwise you can still do the cherry-pick manually.

Details

In response to this:

/cherry-pick release/2.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[akhilerm]

@austinvazquez: only containerd org members may request cherry picks. If you are already part of the org, make sure to change your membership to public. Otherwise you can still do the cherry-pick manually.

This is strange, If the org membership is public, you should be able to use the cherry-pick plugin? 🤔

[austinvazquez]

Oh, looks like the bot was correct. I had my membership private. Excited to try /cherry-pick :)

Going to let this bake on the next release before asking to take it back to other release branches.