ci(release): make build-test-evidence non-blocking (round 2) (#293)#294
Merged
Conversation
…) — round 2 (#293) v0.10.0 manual republish forensics: The release workflow on tag v0.10.0 (run 25966236046) built all five cross-platform binaries, the VSIX, the compliance report, the baseline snapshot, and ran docs-check successfully. The "Create GitHub Release" job was skipped because it `needs: build-test-evidence`, and that job failed on the spar -> highs-sys WASI cross-compile (CMake Threads::Threads target not available in the wasi-sdk 25.0 sysroot). The release was published manually from the workflow artifacts. To prevent this hand-republish on every future tag push: - `build-test-evidence`: `continue-on-error: true`. The job still runs and uploads its artifact when it succeeds (desirable add-on), but a failure no longer marks the run as failed. - `create-release.needs`: drop `build-test-evidence`. The Collect assets step uses a permissive `find` and tolerates the missing tarball. History: #272 originally introduced the continue-on-error; #274 reverted it with the wasi-sdk integration that we expected to handle highs-sys. v0.10.0 proved that's still not enough. Tracking the upstream fix in #293 — once that's resolved, this commit can be reverted. Refs: #293
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
⚠️ Performance Alert ⚠️
Possible performance regression was detected for benchmark 'Rivet Criterion Benchmarks'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.20.
| Benchmark suite | Current: 814a160 | Previous: e2466db | Ratio |
|---|---|---|---|
store_lookup/100 |
2145 ns/iter (± 24) |
1670 ns/iter (± 33) |
1.28 |
store_lookup/1000 |
27139 ns/iter (± 455) |
19188 ns/iter (± 119) |
1.41 |
traceability_matrix/1000 |
57009 ns/iter (± 2243) |
41149 ns/iter (± 163) |
1.39 |
query/1000 |
7774 ns/iter (± 124) |
5467 ns/iter (± 16) |
1.42 |
This comment was automatically generated by workflow using github-action-benchmark.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
avrabe
added a commit
that referenced
this pull request
May 17, 2026
…296) Supply-Chain-Pentester finding (v0.10.0 adversarial review): SHA256SUMS shipped unsigned, so anyone who could replace a release asset could also replace the checksum file. The dossier sold defect detection (true) but quietly implied tamper detection (false). Closes 80% of that gap with sigstore keyless OIDC — no long-lived signing key, no KMS provisioning, no rotation. The trust anchor is the GitHub-Actions workflow identity (issuer `token.actions.githubusercontent.com`, subject `.github/workflows/release.yml@refs/tags/vX.Y.Z`). Workflow changes: - `permissions.id-token: write` so the runner can request its OIDC token (required by cosign keyless flow). - New `Install cosign` step (sigstore/cosign-installer@v3, v2.4.1). - New `Sign SHA256SUMS with cosign (keyless OIDC)` step between checksum generation and release creation. Emits three artifacts: - `SHA256SUMS.txt.cosign.bundle` (verifier-friendly bundle) - `SHA256SUMS.txt.sig` (detached signature) - `SHA256SUMS.txt.pem` (Fulcio-issued short-lived cert) - The existing `Collect assets` step's permissive `find` already picks up the new files; the release page will include them automatically. New `RELEASING.md` documents: - Why signed git tags matter + how to verify (`git tag -v`). - What CI signs (and why sigstore keyless was chosen). - How a consumer verifies a downloaded binary (two-step flow: cosign verify-blob on the bundle, then sha256sum -c). - What is explicitly NOT signed at v0.10.0+ (binary archives transitively only, VSIX, compliance tarball, the maintainer's GPG keylist — for parity with the dossier §0 honest scope). - The manual-republish procedure used for v0.10.0 (#294 context). This addresses the Supply-Chain-Pentester's "one minimum primitive that closes 80% of the gaps" recommendation. The remaining 20% (per-archive signatures, VSIX signing, attestation in-toto bundle) are separate workstreams. Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
v0.10.0 release workflow built all binaries successfully but `Create GitHub Release` was skipped because `build-test-evidence` failed on the spar→highs-sys WASI cross-compile (transitive CMake `Threads::Threads` issue). I manually republished v0.10.0 from the workflow artifacts.
To prevent the hand-republish on every future tag push, this PR:
The root-cause investigation is tracked in #293 — once that lands, this commit can be reverted.
History
Test plan
🤖 Generated with Claude Code