ci: embed promote-to-prod VSA producer (RFC-044.5 P4) [sc-18869]#28
Merged
Conversation
…hallenger's identity, not actions-workflows [sc-18869]
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Embeds a self-contained promote-to-prod SLSA VSA producer into this repo and wires the release pipeline to call it, so challenger's released image (
ghcr.io/chronicleprotocol/challenger-go) earns a promote-to-prod Verification Summary Attestation.Two changes, one commit:
.github/workflows/promote-to-prod.yaml— a verbatim copy of the canonical producerchronicleprotocol/actions-workflows/.github/workflows/promote-to-prod.yaml@main. challenger is a public repo and cannot call the private actions-workflows reusable, so the producer is inlined here, exactly like the existing embeddedsign-image.yamlsigner. The workflow body is byte-for-byte identical to the canonical; the only addition is a comment block at the top noting it is an embedded copy kept in sync manually. Confirmed viacmpagainst a freshly fetched canonical..github/workflows/docker.yml— adds anattest_promotion_vsajob right after the existingsignjob, mirroring itsneeds: build-and-pushandif: ${{ needs.build-and-push.outputs.digest != '' }}gating. It calls this repo's own embedded producer at@main, the same reference style as thesign-image.yamlcall.build-and-pushalready exposesoutputs.digestandoutputs.tags, which feed the producer.Why the SAN matters
Because the producer runs in challenger, its keyless cosign SAN is
https://github.com/chronicleprotocol/challenger/.github/workflows/promote-to-prod.yaml@refs/heads/main. The (Audit)verify-chronicle-promotion-vsaKyverno IVP attestor will be widened separately (not in this repo, not in this PR) to accept that SAN.allow_unverified_ci: true
Set on the call so the producer defers tests-green to its own Trivy gate plus the CODEOWNERS-reviewed app-of-apps digest-pin PR (the deploy approval of record), rather than failing closed on a cross-repo CI read. Safe default for this in-repo release path.
Resolution note
The
uses:points at this repo's ownpromote-to-prod.yaml@main, which resolves once this PR merges, exactly as the embeddedsign-image.yamlreference did. The wiring validates on the next challenger release.Test
actionlint .github/workflows/docker.ymlandactionlint .github/workflows/promote-to-prod.yamlboth exit 0 (run against the pushed branch content). actionlint does not resolve the cross-repousesref to the not-yet-merged@mainfile; that is expected, same as the sign-image embed.Pushed via the GitHub API (not
git push) to avoid the local pre-push hook that runs tests and blocks workflow-only changes.Review only. Do not merge without a maintainer pass.