Conversation
Greptile SummaryThis PR fixes a case where GitHub artifact attestation certificates containing the SAN URI Confidence Score: 5/5Safe to merge — minimal, targeted fix with no P0/P1 issues and a real-certificate regression test. The change is a two-line condition that adds the obvious missing exact-equality branch, the No files require special attention. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[SAN URI found in certificate extension] --> B{starts_with\nhttps://github.com/}
B -- Yes --> C{contains\n/.github/workflows/}
C -- Yes --> D[Set workflow_ref_full,\nworkflow_name, repository]
C -- No --> E{contains\n/actions/runs/}
E -- No --> F[Set repository from github.com path]
E -- Yes --> G[Skip / no assignment]
B -- No --> H{uri_str ==\nhttps://dotcom.releases.github.com\nOR starts_with\nhttps://dotcom.releases.github.com/}
H -- Yes --> I[Set repository =\n'dotcom.releases.github.com']
H -- No --> J[Unrecognized URI / ignored]
I --> K[has_github_certificate_identity check]
D --> K
F --> K
K --> L{workflow_ref.is_some\nOR repo == dotcom.releases.github.com\nOR repo.contains /}
L -- true --> M[Valid GitHub identity ✓]
L -- false --> N[Reject: no GitHub identity ✗]
Reviews (1): Last reviewed commit: "fix: accept dotcom releases SAN without ..." | Re-trigger Greptile |
There was a problem hiding this comment.
Code Review
This pull request updates the certificate verification logic in src/verify.rs to include an exact match check for the dotcom.releases.github.com URI, ensuring the repository is correctly identified even without a trailing slash. Additionally, a new unit test has been implemented to validate this behavior using a sample attestation certificate. I have no feedback to provide.
## 🤖 New release * `sigstore-verification`: 0.2.4 -> 0.2.5 (✓ API compatible changes) <details><summary><i><b>Changelog</b></i></summary><p> <blockquote> ## [0.2.5](v0.2.4...v0.2.5) - 2026-04-15 ### Fixed - accept dotcom releases SAN without slash ([#43](#43)) </blockquote> </p></details> --- This PR was generated with [release-plz](https://github.com/release-plz/release-plz/). <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk release bookkeeping only: updates the crate version and changelog with no functional code changes in this PR. > > **Overview** > Prepares the `v0.2.5` release by bumping the crate version in `Cargo.toml` and adding a `0.2.5` entry to `CHANGELOG.md` (noting the fix to accept dotcom releases SAN without a slash). > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit a360a8d. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY -->
Summary
Tests
Note
Low Risk
Low risk: small tweak to certificate SAN URI parsing plus a regression test; main impact is slightly broader acceptance of a specific GitHub hostname identity.
Overview
Fixes GitHub attestation certificate parsing to recognize the exact
https://dotcom.releases.github.comSAN (in addition to the/...form) when extracting the repository identity.Adds a regression test that parses a real GitHub release attestation certificate and asserts
dotcom.releases.github.comis extracted and treated as a valid GitHub identity.Reviewed by Cursor Bugbot for commit f5e3d13. Bugbot is set up for automated code reviews on this repo. Configure here.