chore(release): align release pipeline with synth reference (SBOM + SLSA + build-env)#330
Merged
Merged
Conversation
ghost
reviewed
May 24, 2026
There was a problem hiding this comment.
⚠️ Performance Alert ⚠️
Possible performance regression was detected for benchmark 'Rivet Criterion Benchmarks'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.20.
| Benchmark suite | Current: d27c128 | Previous: cfe0cdf | Ratio |
|---|---|---|---|
store_insert/10000 |
20051567 ns/iter (± 2915939) |
13754166 ns/iter (± 376068) |
1.46 |
validate/10000 |
15358313 ns/iter (± 2400397) |
12574742 ns/iter (± 634955) |
1.22 |
This comment was automatically generated by workflow using github-action-benchmark.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
avrabe
force-pushed
the
chore/release-pipeline-standardize-to-synth
branch
3 times, most recently
from
d27c128 to
ae4e2af
Compare
… + SLSA + build-env)
Adopts the standardized pulseengine release pattern (per the
"per-repo Claude agent" brief): every release ships a CycloneDX SBOM,
a SLSA v1 build-provenance attestation, a signed SHA256SUMS, and a
build-env record naming the toolchain it was produced with.
Rivet already had cosign-keyless SHA256SUMS signing; the missing legs
were the SBOM (must precede the sums so its digest is captured in the
manifest), the SLSA provenance step, the build-env record, and the
`attestations: write` permission needed by attest-build-provenance.
Changes
-------
1. Top-level permissions: add `attestations: write` alongside the
existing `contents: write` + `id-token: write`. Required by
actions/attest-build-provenance@v2.
2. Asset staging directory: rename `release/` → `release-assets/`
to match the synth/spar/sigil/witness shared name. Pure cosmetic
(file paths are scoped to this job), but it makes the verification
one-liner in release notes copy-pasteable across repos.
3. New step "Install cargo-cyclonedx" + "Generate toolchain SBOM
(CycloneDX)" — inserted BEFORE the SHA256SUMS step so the SBOM's
digest enters the manifest and the cosign signature transitively
covers it. Emits `release-assets/rivet-<bare-version>.cdx.json`
(no `v` prefix on the version per the brief).
4. New step "Generate SLSA build provenance"
(actions/attest-build-provenance@v2) — runs AFTER the sums file
exists, attests every `release-assets/*.tar.gz` to GitHub's
attestation store. Consumers verify with:
gh attestation verify rivet-vX.Y.Z-<triple>.tar.gz \\
--repo pulseengine/rivet
5. New step "Capture build environment" — emits
`release-assets/build-env.txt` with rustc, cargo, cosign, and
runner versions. Prerequisite for REQ-094 (`rivet release-verify`).
Final release-asset shape
-------------------------
rivet-vX.Y.Z-<triple>.{tar.gz|zip}
rivet-X.Y.Z.cdx.json
SHA256SUMS.txt
SHA256SUMS.txt.sig
SHA256SUMS.txt.pem
SHA256SUMS.txt.cosign.bundle
build-env.txt
(plus VSIX + compliance bundle from existing jobs)
Verification one-liners (paste into release notes)
--------------------------------------------------
cosign verify-blob \\
--certificate-identity-regexp \\
'https://github.com/pulseengine/rivet/.github/workflows/release.yml@.*' \\
--certificate-oidc-issuer \\
'https://token.actions.githubusercontent.com' \\
--bundle SHA256SUMS.txt.cosign.bundle SHA256SUMS.txt
gh attestation verify rivet-vX.Y.Z-<triple>.tar.gz \\
--repo pulseengine/rivet
Refs: REQ-068, REQ-094
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
avrabe
force-pushed
the
chore/release-pipeline-standardize-to-synth
branch
from
ae4e2af to
93a4887
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adopts the standardized pulseengine release pattern (per the per-repo Claude agent brief) so rivet's release-asset shape matches synth / spar / sigil / witness. Rivet already had cosign-keyless SHA256SUMS signing; this PR closes the remaining gaps:
SHA256SUMS.txtso its digest enters the manifest (cosign signature transitively covers it).actions/attest-build-provenance@v2over everyrelease-assets/*.tar.gz.build-env.txtcapturing rustc / cargo / cosign / runner versions (prerequisite for REQ-094 `rivet release-verify`).attestations: writepermission added alongside the existingcontents: write+id-token: write.release/→release-assets/to match the cross-repo shared name, so the verification one-liners are copy-pasteable across repos.Final release-asset shape
```
rivet-vX.Y.Z-.{tar.gz|zip}
rivet-X.Y.Z.cdx.json
SHA256SUMS.txt
SHA256SUMS.txt.sig
SHA256SUMS.txt.pem
SHA256SUMS.txt.cosign.bundle
build-env.txt
(plus VSIX + compliance bundle from existing jobs)
```
Verification one-liners (for release notes)
```bash
cosign verify-blob \
--certificate-identity-regexp \
'https://github.com/pulseengine/rivet/.github/workflows/release.yml@.*' \
--certificate-oidc-issuer \
'https://token.actions.githubusercontent.com' \
--bundle SHA256SUMS.txt.cosign.bundle SHA256SUMS.txt
gh attestation verify rivet-vX.Y.Z-.tar.gz \
--repo pulseengine/rivet
```
Test plan
What this does NOT do
Refs: REQ-068, REQ-094
🤖 Generated with Claude Code