ci: use draft releases to support immutable GitHub releases

keelerm84 · keelerm84 · commit 5f2a68d19c84 · 2026-03-31T21:15:16.000Z
diff --git a/.github/workflows/release-please.yml b/.github/workflows/release-please.yml
@@ -58,14 +58,29 @@ jobs:
     needs: ['release-please']
     permissions:
       id-token: write # Needed for OIDC to get release secrets from AWS.
+      attestations: write # Needed for actions/attest.
+      contents: write # Needed for creating tags.
     if: ${{ needs.release-please.outputs.package-server-ai-released == 'true' }}
-    outputs:
-      package-hashes: ${{ steps.build.outputs.package-hashes }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
+      - name: Create release tag
+        env:
+          TAG_NAME: ${{ needs.release-please.outputs.package-server-ai-tag-name }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if gh api "repos/${{ github.repository }}/git/ref/tags/${TAG_NAME}" >/dev/null 2>&1; then
+            echo "Tag ${TAG_NAME} already exists, skipping creation."
+          else
+            echo "Creating tag ${TAG_NAME}."
+            git config user.name "github-actions[bot]"
+            git config user.email "github-actions[bot]@users.noreply.github.com"
+            git tag "${TAG_NAME}"
+            git push origin "${TAG_NAME}"
+          fi
+
       - uses: ./.github/actions/ci
         with:
           workspace_path: packages/sdk/server-ai
@@ -75,6 +90,17 @@ jobs:
         with:
           workspace_path: packages/sdk/server-ai
 
+      - name: Generate checksums file
+        env:
+          HASHES: ${{ steps.build.outputs.package-hashes }}
+        run: |
+          echo "$HASHES" | base64 -d > checksums.txt
+
+      - name: Attest build provenance
+        uses: actions/attest@v4
+        with:
+          subject-checksums: checksums.txt
+
       - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
         name: 'Get PyPI token'
         with:
@@ -92,14 +118,29 @@ jobs:
     needs: ['release-please']
     permissions:
       id-token: write # Needed for OIDC to get release secrets from AWS.
+      attestations: write # Needed for actions/attest.
+      contents: write # Needed for creating tags.
     if: ${{ needs.release-please.outputs.package-server-ai-langchain-released == 'true' }}
-    outputs:
-      package-hashes: ${{ steps.build.outputs.package-hashes }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
+      - name: Create release tag
+        env:
+          TAG_NAME: ${{ needs.release-please.outputs.package-server-ai-langchain-tag-name }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if gh api "repos/${{ github.repository }}/git/ref/tags/${TAG_NAME}" >/dev/null 2>&1; then
+            echo "Tag ${TAG_NAME} already exists, skipping creation."
+          else
+            echo "Creating tag ${TAG_NAME}."
+            git config user.name "github-actions[bot]"
+            git config user.email "github-actions[bot]@users.noreply.github.com"
+            git tag "${TAG_NAME}"
+            git push origin "${TAG_NAME}"
+          fi
+
       - uses: ./.github/actions/ci
         with:
           workspace_path: packages/ai-providers/server-ai-langchain
@@ -109,6 +150,17 @@ jobs:
         with:
           workspace_path: packages/ai-providers/server-ai-langchain
 
+      - name: Generate checksums file
+        env:
+          HASHES: ${{ steps.build.outputs.package-hashes }}
+        run: |
+          echo "$HASHES" | base64 -d > checksums.txt
+
+      - name: Attest build provenance
+        uses: actions/attest@v4
+        with:
+          subject-checksums: checksums.txt
+
       - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
         name: 'Get PyPI token'
         with:
@@ -153,45 +205,34 @@ jobs:
           password: ${{ env.PYPI_AUTH_TOKEN }}
           packages-dir: ${{ inputs.workspace_path }}/dist/
 
-  release-server-ai-provenance:
-    needs: ['release-please', 'release-server-ai']
-    if: ${{ needs.release-please.outputs.package-server-ai-released == 'true' }}
-    permissions:
-      actions: read # Needed for detecting the GitHub Actions environment.
-      id-token: write # Needed for provenance signing.
-      contents: write # Needed for uploading assets to the release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
-    with:
-      base64-subjects: "${{ needs.release-server-ai.outputs.package-hashes }}"
-      upload-assets: true
-      upload-tag-name: ${{ needs.release-please.outputs.package-server-ai-tag-name }}
-
-  release-server-ai-langchain-provenance:
-    needs: ['release-please', 'release-server-ai-langchain']
-    if: ${{ needs.release-please.outputs.package-server-ai-langchain-released == 'true' }}
-    permissions:
-      actions: read # Needed for detecting the GitHub Actions environment.
-      id-token: write # Needed for provenance signing.
-      contents: write # Needed for uploading assets to the release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@5a775b367a56d5bd118a224a811bba288150a563 # v2.0.0
-    with:
-      base64-subjects: "${{ needs.release-server-ai-langchain.outputs.package-hashes }}"
-      upload-assets: true
-      upload-tag-name: ${{ needs.release-please.outputs.package-server-ai-langchain-tag-name }}
-
   release-server-ai-openai:
     runs-on: ubuntu-latest
     needs: ['release-please']
     permissions:
       id-token: write # Needed for OIDC to get release secrets from AWS.
+      attestations: write # Needed for actions/attest.
+      contents: write # Needed for creating tags.
     if: ${{ needs.release-please.outputs.package-server-ai-openai-released == 'true' }}
-    outputs:
-      package-hashes: ${{ steps.build.outputs.package-hashes }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
+      - name: Create release tag
+        env:
+          TAG_NAME: ${{ needs.release-please.outputs.package-server-ai-openai-tag-name }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if gh api "repos/${{ github.repository }}/git/ref/tags/${TAG_NAME}" >/dev/null 2>&1; then
+            echo "Tag ${TAG_NAME} already exists, skipping creation."
+          else
+            echo "Creating tag ${TAG_NAME}."
+            git config user.name "github-actions[bot]"
+            git config user.email "github-actions[bot]@users.noreply.github.com"
+            git tag "${TAG_NAME}"
+            git push origin "${TAG_NAME}"
+          fi
+
       - uses: ./.github/actions/ci
         with:
           workspace_path: packages/ai-providers/server-ai-openai
@@ -201,6 +242,17 @@ jobs:
         with:
           workspace_path: packages/ai-providers/server-ai-openai
 
+      - name: Generate checksums file
+        env:
+          HASHES: ${{ steps.build.outputs.package-hashes }}
+        run: |
+          echo "$HASHES" | base64 -d > checksums.txt
+
+      - name: Attest build provenance
+        uses: actions/attest@v4
+        with:
+          subject-checksums: checksums.txt
+
       - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
         name: 'Get PyPI token'
         with:
@@ -213,32 +265,34 @@ jobs:
           password: ${{ env.PYPI_AUTH_TOKEN }}
           packages-dir: packages/ai-providers/server-ai-openai/dist/
 
-  release-server-ai-openai-provenance:
-    needs: ['release-please', 'release-server-ai-openai']
-    if: ${{ needs.release-please.outputs.package-server-ai-openai-released == 'true' }}
-    permissions:
-      actions: read # Needed for detecting the GitHub Actions environment.
-      id-token: write # Needed for provenance signing.
-      contents: write # Needed for uploading assets to the release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
-    with:
-      base64-subjects: "${{ needs.release-server-ai-openai.outputs.package-hashes }}"
-      upload-assets: true
-      upload-tag-name: ${{ needs.release-please.outputs.package-server-ai-openai-tag-name }}
-
   release-server-ai-optimization:
     runs-on: ubuntu-latest
     needs: ['release-please']
     permissions:
       id-token: write # Needed for OIDC to get release secrets from AWS.
+      attestations: write # Needed for actions/attest.
+      contents: write # Needed for creating tags.
     if: ${{ needs.release-please.outputs.package-server-ai-optimization-released == 'true' }}
-    outputs:
-      package-hashes: ${{ steps.build.outputs.package-hashes }}
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
+      - name: Create release tag
+        env:
+          TAG_NAME: ${{ needs.release-please.outputs.package-server-ai-optimization-tag-name }}
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          if gh api "repos/${{ github.repository }}/git/ref/tags/${TAG_NAME}" >/dev/null 2>&1; then
+            echo "Tag ${TAG_NAME} already exists, skipping creation."
+          else
+            echo "Creating tag ${TAG_NAME}."
+            git config user.name "github-actions[bot]"
+            git config user.email "github-actions[bot]@users.noreply.github.com"
+            git tag "${TAG_NAME}"
+            git push origin "${TAG_NAME}"
+          fi
+
       - uses: ./.github/actions/ci
         with:
           workspace_path: packages/optimization
@@ -248,6 +302,17 @@ jobs:
         with:
           workspace_path: packages/optimization
 
+      - name: Generate checksums file
+        env:
+          HASHES: ${{ steps.build.outputs.package-hashes }}
+        run: |
+          echo "$HASHES" | base64 -d > checksums.txt
+
+      - name: Attest build provenance
+        uses: actions/attest@v4
+        with:
+          subject-checksums: checksums.txt
+
       - uses: launchdarkly/gh-actions/actions/release-secrets@release-secrets-v1.2.0
         name: 'Get PyPI token'
         with:
@@ -260,15 +325,49 @@ jobs:
           password: ${{ env.PYPI_AUTH_TOKEN }}
           packages-dir: packages/optimization/dist/
 
-  release-server-ai-optimization-provenance:
-    needs: ['release-please', 'release-server-ai-optimization']
-    if: ${{ needs.release-please.outputs.package-server-ai-optimization-released == 'true' }}
+  publish-release:
+    needs: ['release-please', 'release-server-ai', 'release-server-ai-langchain', 'release-server-ai-openai', 'release-server-ai-optimization']
+    if: ${{ always() && needs.release-please.result == 'success' && (needs.release-please.outputs.package-server-ai-released == 'true' || needs.release-please.outputs.package-server-ai-langchain-released == 'true' || needs.release-please.outputs.package-server-ai-openai-released == 'true' || needs.release-please.outputs.package-server-ai-optimization-released == 'true') }}
+    runs-on: ubuntu-latest
     permissions:
-      actions: read # Needed for detecting the GitHub Actions environment.
-      id-token: write # Needed for provenance signing.
-      contents: write # Needed for uploading assets to the release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.0.0
-    with:
-      base64-subjects: "${{ needs.release-server-ai-optimization.outputs.package-hashes }}"
-      upload-assets: true
-      upload-tag-name: ${{ needs.release-please.outputs.package-server-ai-optimization-tag-name }}
+      contents: write
+    steps:
+      - name: Publish server-ai release
+        if: ${{ needs.release-please.outputs.package-server-ai-released == 'true' && needs.release-server-ai.result == 'success' }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_NAME: ${{ needs.release-please.outputs.package-server-ai-tag-name }}
+        run: >
+          gh release edit "$TAG_NAME"
+          --repo ${{ github.repository }}
+          --draft=false
+
+      - name: Publish server-ai-langchain release
+        if: ${{ needs.release-please.outputs.package-server-ai-langchain-released == 'true' && needs.release-server-ai-langchain.result == 'success' }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_NAME: ${{ needs.release-please.outputs.package-server-ai-langchain-tag-name }}
+        run: >
+          gh release edit "$TAG_NAME"
+          --repo ${{ github.repository }}
+          --draft=false
+
+      - name: Publish server-ai-openai release
+        if: ${{ needs.release-please.outputs.package-server-ai-openai-released == 'true' && needs.release-server-ai-openai.result == 'success' }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_NAME: ${{ needs.release-please.outputs.package-server-ai-openai-tag-name }}
+        run: >
+          gh release edit "$TAG_NAME"
+          --repo ${{ github.repository }}
+          --draft=false
+
+      - name: Publish server-ai-optimization release
+        if: ${{ needs.release-please.outputs.package-server-ai-optimization-released == 'true' && needs.release-server-ai-optimization.result == 'success' }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_NAME: ${{ needs.release-please.outputs.package-server-ai-optimization-tag-name }}
+        run: >
+          gh release edit "$TAG_NAME"
+          --repo ${{ github.repository }}
+          --draft=false
diff --git a/release-please-config.json b/release-please-config.json
@@ -7,6 +7,7 @@
       "versioning": "default",
       "bump-minor-pre-major": true,
       "include-v-in-tag": false,
+      "draft": true,
       "extra-files": ["src/ldai/__init__.py", "PROVENANCE.md"],
       "component": "launchdarkly-server-sdk-ai"
     },
@@ -15,6 +16,7 @@
       "versioning": "default",
       "bump-minor-pre-major": true,
       "include-v-in-tag": false,
+      "draft": true,
       "extra-files": ["src/ldai_langchain/__init__.py"],
       "component": "launchdarkly-server-sdk-ai-langchain"
     },
@@ -23,6 +25,7 @@
       "versioning": "default",
       "bump-minor-pre-major": true,
       "include-v-in-tag": false,
+      "draft": true,
       "extra-files": ["src/ldai_openai/__init__.py"],
       "component": "launchdarkly-server-sdk-ai-openai"
     },
@@ -31,6 +34,7 @@
       "versioning": "default",
       "bump-minor-pre-major": true,
       "include-v-in-tag": false,
+      "draft": true,
       "extra-files": ["src/ldai_optimization/__init__.py"],
       "component": "launchdarkly-server-sdk-ai-optimization"
     }
