ci(security:PLA-1612): harden release supply chain#96
Conversation
There was a problem hiding this comment.
Pull request overview
This PR hardens the release workflow by switching release publishing to be tag-triggered (semver tags) instead of relying on morpho-main commit messages, and by gating release-related Docker publishing/attestations on tag refs.
Changes:
- Change workflow trigger to run on
pushevents for*.*.*tags rather thanmorpho-mainbranch pushes. - Validate the release tag and remove workflow self-tagging (force-push tag creation).
- Gate Docker release images, manifests, and attestations on tag refs (replacing commit-message-based release detection).
Comments suppressed due to low confidence (3)
.github/workflows/release.yml:376
- The docker build job now runs on tag refs, but this version extraction still parses the commit message. On tag pushes,
github.event.head_commit.messagemay not containrelease X.Y.Z, leading to an emptysteps.version.outputs.VERSIONand incorrectly tagged images/build args. Prefer usingGITHUB_REF_NAME(tag name) and validate it as semver, similar to thereleasejob.
if: "github.ref_type == 'tag'"
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
VERSION=$(echo "$COMMIT_MESSAGE" | grep -oP 'release \K([0-9]+\.[0-9]+\.[0-9]+)')
.github/workflows/release.yml:564
- The arm64 docker build job is gated on tag refs, but this version extraction still parses the commit message. On tag pushes this can produce an empty
steps.version.outputs.VERSIONand propagate a blank VERSION into build args and tags. UseGITHUB_REF_NAMEand validate it instead.
if: "github.ref_type == 'tag'"
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
VERSION=$(echo "$COMMIT_MESSAGE" | grep -oP 'release \K([0-9]+\.[0-9]+\.[0-9]+)')
.github/workflows/release.yml:735
- The manifest job is now tag-gated, but the version step still derives VERSION from the commit message. This will likely be empty on tag pushes and will break or mis-tag the release manifests (
steps.version.outputs.VERSION). Use the pushed tag name (GITHUB_REF_NAME) and validate it.
if: "github.ref_type == 'tag'"
env:
COMMIT_MESSAGE: ${{ github.event.head_commit.message }}
run: |
VERSION=$(echo "$COMMIT_MESSAGE" | grep -oP 'release \K([0-9]+\.[0-9]+\.[0-9]+)')
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 36220406d9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Summary
releaseenvironment.Changes
GITHUB_REF_NAMEand keep GoReleaser/npm/Docker publishing behind release environment gates.Linear