Skip to content

feat(release): standardised gale release pipeline — signed wasm + rivet compliance#72

Merged
avrabe merged 2 commits into
mainfrom
feat/release-pipeline
Jun 19, 2026
Merged

feat(release): standardised gale release pipeline — signed wasm + rivet compliance#72
avrabe merged 2 commits into
mainfrom
feat/release-pipeline

Conversation

@avrabe

@avrabe avrabe commented Jun 19, 2026

Copy link
Copy Markdown
Contributor

Bring gale's wasm modules + rivet compliance into a proper release

Establishes gale's release flow, mirroring how pulseengine/synth and pulseengine/relay release (cosign-signed SHA256SUMS.txt, CycloneDX SBOM, SLSA build provenance, build-env.txt, rivet compliance report). gale ships no CLI binary, so its release "binaries" are the wasm-cross-LTO kernel modules.

Flow (3 decoupled workflows, ecosystem-standard)

 v* tag ──> release.yml ──────────────> GitHub Release (signed)
              build sem+mutex+msgq        ├─ gale-wasm-{sem,mutex,msgq}-<tag>{.o,.wasm,.wat}
              SBOM + SHA256SUMS            ├─ gale-wasm-manifest-<tag>.json   (trust anchor)
              SLSA provenance + cosign     ├─ gale-<ver>.cdx.json             (CycloneDX SBOM)
                                           ├─ SHA256SUMS.txt{,.sig,.pem,.cosign.bundle}
                                           └─ build-env.txt
                       │
              release: published
                       ▼
            compliance.yml ───> gale-<tag>-compliance-report.tar.gz  (rivet)

Changes

  • release.yml (new) — tag-triggered creator. Builds the wasm dist via scripts/build-wasm-dist.sh on pinned loom v1.1.14 + synth v0.11.48 (the toolchain that builds all three modules — #359/#372 land in 0.11.48), then ships the standardised provenance bundle (SBOM, cosign-signed SHA256SUMS, SLSA attest-build-provenance, build-env), idempotent gh release create/upload.
  • compliance.yml (new) — on release publish, runs the pulseengine/rivet compliance action (@v0.16.1, rivet-version: v0.15.0 = gale's pinned schema) and attaches the report. Decoupled + additive; a report failure can't break the release.
  • release-wasm.yml — demoted to workflow_dispatch-only manual rebuild (uploads a run artifact). release.yml now owns release-time wasm, so the release: published trigger (which would double-build/attach) is removed; pins bumped to lockstep.

Verification (release notes one-liner)

cosign verify-blob \
  --certificate-identity-regexp 'https://github.com/pulseengine/gale/.github/workflows/release.yml@.*' \
  --certificate-oidc-issuer 'https://token.actions.githubusercontent.com' \
  --bundle SHA256SUMS.txt.cosign.bundle SHA256SUMS.txt
gh attestation verify gale-wasm-msgq-<tag>-cortex-m4f.o --repo pulseengine/gale

Validation status

Not yet exercised against a real tag — the first v* tag (or a workflow_dispatch with an existing tag) is the validation oracle. Both wasm-building jobs carry the /mnt scratch-disk mount from the ENOSPC fix (#71) so they don't hit disk exhaustion. Security: all tag values flow through env: (never expanded into run:), matching the synth/relay pattern.

Depends-on: #71 (CI disk fix) for clean signal. Sequenced after #70 (msgq) so the msgq module is in main when the first release builds it.

🤖 Generated with Claude Code

@avrabe @claude
feat(release): standardised gale release pipeline — signed wasm + riv…
9d11fab 
…et compliance

Establishes gale's release flow, mirroring pulseengine/synth + pulseengine/relay
(cosign-signed SHA256SUMS, CycloneDX SBOM, SLSA build provenance, build-env
capture, rivet compliance report). gale ships no CLI binary, so its release
"binaries" are the wasm-cross-LTO kernel modules.

- .github/workflows/release.yml (NEW): tag-triggered creator. Builds the wasm
  dist (sem+mutex+msgq) via scripts/build-wasm-dist.sh on pinned loom v1.1.14 +
  synth v0.11.48 (the toolchain that builds all three — #359/#372 land in
  0.11.48), then publishes the standardised bundle: gale-<ver>.cdx.json SBOM,
  SHA256SUMS.txt cosign-signed (keyless OIDC), SLSA build provenance over the
  .o objects, build-env.txt, and gh release create with every wasm asset.
- .github/workflows/compliance.yml (NEW): on release publish, generates the
  rivet compliance report (pulseengine/rivet compliance action @v0.16.1,
  rivet-version v0.15.0 = gale's pinned schema version) and attaches it.
  Decoupled + additive — a report failure can't break the release.
- .github/workflows/release-wasm.yml: demoted to workflow_dispatch-only (manual
  on-demand rebuild -> run artifact). release.yml now owns release-time wasm
  build + attach + sign, so the release: published trigger (which would
  double-build/attach) is removed; pins bumped to lockstep (v1.1.14 / v0.11.48).

Both new jobs that build wasm carry the /mnt scratch-disk mount from the
zephyr-tests ENOSPC fix (#71), so they don't hit the same disk exhaustion.

Not yet exercised against a real tag — the first v* tag (or a workflow_dispatch
with an existing tag) is the validation oracle. Release infra; for review.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@codecov

codecov Bot commented Jun 19, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@avrabe avrabe merged commit 1f18e91 into main Jun 19, 2026
58 of 59 checks passed
@avrabe avrabe deleted the feat/release-pipeline branch June 19, 2026 20:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@avrabe