ci: GHCR commit-SHA tag, OCI labels, and build provenance

[myftija]

• Tags webapp images by full commit SHA on main pushes (ghcr.io/triggerdotdev/trigger.dev:<sha>) so any commit can be resolved to a digest easily.
• Adds OCI labels (source, revision, version, created) so docker inspect, vulnerability scanners, and
  registry browsers see source/commit/version directly.
• Signs each pushed digest with SLSA build provenance via actions/attest-build-provenance@v4.1.0 (pinned by SHA), enabling gh attestation verify oci://... against the source commit and workflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: bd152be

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

CI workflows and the Dockerfile were updated to add build provenance attestation and richer build metadata. Workflows grant attestations: write, append a GITHUB_SHA tag when the selected tag resolves to main, compute and export BUILD_TIMESTAMP_RFC3339, pass SENTRY_RELEASE, SENTRY_ORG, and SENTRY_PROJECT as Docker build-args and provide sentry_auth_token from secrets.SENTRY_AUTH_TOKEN. After push, a step publishes build provenance to the registry using the build digest (runs with continue-on-error: true). The Dockerfile adds ARG BUILD_TIMESTAMP_RFC3339, consolidates build metadata into ENV, and adds OCI labels org.opencontainers.image.source, .revision, .version, and .created.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is incomplete. It lacks the required checklist, testing steps, and changelog sections from the repository template.	Add the complete PR template including the checklist, Testing section with test steps, and Changelog section describing changes concisely.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the three main changes: commit-SHA tagging, OCI labels, and build provenance attestation.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci-image-build-improvements

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/publish-webapp.yml (1)

97-122: ⚡ Quick win

Verify the pinned SHA for actions/attest-build-provenance@v4.1.0; also consider migrating to actions/attest for new implementations.

Two points:

1. SHA verification — the pin a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 is confirmed to match the actual v4.1.0 release tag.

2. Preferred action for new implementations — as of version 4, actions/attest-build-provenance is a wrapper on top of actions/attest, and GitHub explicitly states new implementations should use actions/attest instead. The current usage is functional and permitted for existing workflows, but a forward-looking migration to actions/attest would align with GitHub's stated direction.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-webapp.yml around lines 97 - 122, Confirm the
pinned commit for actions/attest-build-provenance
(a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 referenced for v4.1.0) actually
matches the git tag/release you intend and update the SHA if it does not; then
consider replacing the step that uses
actions/attest-build-provenance@a2bbfa25... with actions/attest for new
implementations (or add a comment explaining intentional pinning/compatibility)
so the workflow aligns with GitHub’s recommendation to use actions/attest going
forward.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/publish-webapp.yml:
- Around line 97-122: Confirm the pinned commit for
actions/attest-build-provenance (a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32
referenced for v4.1.0) actually matches the git tag/release you intend and
update the SHA if it does not; then consider replacing the step that uses
actions/attest-build-provenance@a2bbfa25... with actions/attest for new
implementations (or add a comment explaining intentional pinning/compatibility)
so the workflow aligns with GitHub’s recommendation to use actions/attest going
forward.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 7a622e48-8d39-49b8-a32f-2f2e1e4908ab

📥 Commits

Reviewing files that changed from the base of the PR and between 31999af and 6752afd.

📒 Files selected for processing (2)

• .github/workflows/publish-webapp.yml
• docker/Dockerfile

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (21)

• GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (8, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (6, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (1, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 8)
• GitHub Check: units / e2e-webapp / 🧪 E2E Tests: Webapp
• GitHub Check: units / packages / 🧪 Unit Tests: Packages (1, 1)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: typecheck / typecheck
• GitHub Check: sdk-compat / Deno Runtime
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)

🔇 Additional comments (3)

docker/Dockerfile (1)

97-110: LGTM — ARG scoping and LABEL syntax are correct.

All five ARG declarations are properly scoped to the runner stage. BUILD_TIMESTAMP_RFC3339 is deliberately not promoted to ENV (it's only needed at build-time for the label), which is the right call. Docker correctly interpolates ARG values inside LABEL instructions. OCI label keys follow the spec.

.github/workflows/publish-webapp.yml (2)

3-7: LGTM — permission additions are correct.

Both id-token: write (already present) and attestations: write (added) are required for OIDC-based provenance signing and persisting the attestation to the registry.

---

62-66: LGTM — commit-SHA tag conditional is correct.

Appending ${GITHUB_SHA} only when the mutable main tag is being pushed is the right approach. Semver tags are already immutable by convention and don't need an extra SHA tag.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/publish.yml (1)

90-98: 💤 Low value

Add attestations: write to publish-worker-v4 permissions if it adopts provenance attestation.

publish-webapp.yml uses actions/attest-build-provenance@v4.1.0 with an attestations: write permission. If publish-worker-v4.yml follows the same pattern in the future, it will require attestations: write here or the action will fail silently at runtime.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish.yml around lines 90 - 98, The publish-worker-v4
job currently grants permissions (contents, packages, id-token) but is missing
attestations: write; update the publish-worker-v4 job permissions block (job
name publish-worker-v4, which uses the publish-worker-v4 workflow via "uses:
./.github/workflows/publish-worker-v4.yml") to include attestations: write
alongside the existing permissions so any future use of
actions/attest-build-provenance or similar attestation actions will have the
required permission.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/publish.yml:
- Around line 90-98: The publish-worker-v4 job currently grants permissions
(contents, packages, id-token) but is missing attestations: write; update the
publish-worker-v4 job permissions block (job name publish-worker-v4, which uses
the publish-worker-v4 workflow via "uses:
./.github/workflows/publish-worker-v4.yml") to include attestations: write
alongside the existing permissions so any future use of
actions/attest-build-provenance or similar attestation actions will have the
required permission.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 10912c18-933f-4bbb-a34e-eec0dc5d04f6

📥 Commits

Reviewing files that changed from the base of the PR and between 6752afd and 93eb75c.

📒 Files selected for processing (1)

• .github/workflows/publish.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (32)

• GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (4, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (3, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (3, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (8, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (6, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (2, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (5, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (8, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (1, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (5, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (6, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 8)
• GitHub Check: units / packages / 🧪 Unit Tests: Packages (1, 1)
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
• GitHub Check: sdk-compat / Cloudflare Workers
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: units / e2e-webapp / 🧪 E2E Tests: Webapp
• GitHub Check: sdk-compat / Node.js 20.20 (ubuntu-latest)
• GitHub Check: typecheck / typecheck
• GitHub Check: sdk-compat / Node.js 22.12 (ubuntu-latest)
• GitHub Check: sdk-compat / Bun Runtime
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - pnpm)
• GitHub Check: e2e / 🧪 CLI v3 tests (ubuntu-latest - npm)
• GitHub Check: sdk-compat / Deno Runtime
• GitHub Check: audit
• GitHub Check: Analyze (actions)
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (python)

🔇 Additional comments (1)

.github/workflows/publish.yml (1)

67-76: LGTM — attestations: write correctly scoped to the publish-webapp caller job.

Granting attestations: write at the caller job level is the right approach for reusable workflow calls: GitHub copies only the permissions explicitly declared in the caller's job permissions block into the GITHUB_TOKEN available to the called workflow. Without this addition, actions/attest-build-provenance would fail at runtime with a 403 even though id-token: write was already present.

[devin-ai-integration]

Devin Review found 2 new potential issues.

View 3 additional findings in Devin Review.

[devin-ai-integration]

📝 Info: Attestation step uses continue-on-error to avoid blocking releases

The continue-on-error: true on the attestation step (.github/workflows/publish-webapp.yml:121) means that Sigstore/GHCR failures won't block the downstream publish-helm job. This is an intentional trade-off: the image is already pushed by this point, so blocking releases on attestation infrastructure issues would be worse than a missing attestation. However, this also means genuine configuration errors (e.g., wrong subject-name, missing permissions) will only show as warnings rather than failures. The comment in the workflow acknowledges this.

---

Was this helpful? React with 👍 or 👎 to provide feedback.

[coderabbitai]

🧹 Nitpick comments (1)

.github/workflows/publish-webapp.yml (1)

122-122: 💤 Low value

Consider migrating to actions/attest — the upstream-recommended replacement.

actions/attest-build-provenance@v4 is a thin wrapper on actions/attest, and the maintainers recommend that new implementations use actions/attest directly instead. Since this is a new step, the migration is straightforward — the inputs (subject-name, subject-digest, push-to-registry) are identical.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/publish-webapp.yml at line 122, Replace the step that
currently uses
"actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32" with
the upstream-recommended "actions/attest" action (e.g., "actions/attest@v4"),
keeping the same inputs (subject-name, subject-digest, push-to-registry) and any
existing environment/permissions configuration; update the "uses:
actions/attest-build-provenance@..." reference to "uses: actions/attest@v4" and
verify the inputs and output names remain identical to ensure a drop-in
replacement.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In @.github/workflows/publish-webapp.yml:
- Line 122: Replace the step that currently uses
"actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32" with
the upstream-recommended "actions/attest" action (e.g., "actions/attest@v4"),
keeping the same inputs (subject-name, subject-digest, push-to-registry) and any
existing environment/permissions configuration; update the "uses:
actions/attest-build-provenance@..." reference to "uses: actions/attest@v4" and
verify the inputs and output names remain identical to ensure a drop-in
replacement.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: dcbd204e-7397-4cd1-afae-49aa4d7c2ad2

📥 Commits

Reviewing files that changed from the base of the PR and between 93eb75c and bd152be.

📒 Files selected for processing (2)

• .github/workflows/publish-webapp.yml
• .github/workflows/release.yml

📜 Review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (15)

• GitHub Check: units / internal / 🧪 Unit Tests: Internal (1, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (8, 8)
• GitHub Check: units / internal / 🧪 Unit Tests: Internal (7, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (7, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (2, 8)
• GitHub Check: units / webapp / 🧪 Unit Tests: Webapp (4, 8)
• GitHub Check: units / e2e-webapp / 🧪 E2E Tests: Webapp
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - npm)
• GitHub Check: sdk-compat / Cloudflare Workers
• GitHub Check: sdk-compat / Deno Runtime
• GitHub Check: e2e / 🧪 CLI v3 tests (windows-latest - pnpm)
• GitHub Check: typecheck / typecheck
• GitHub Check: audit
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (python)

🔇 Additional comments (6)

.github/workflows/release.yml (1)

168-172: LGTM — necessary permission addition for the reusable-workflow attestation chain.

attestations: write is required at every caller level for GITHUB_TOKEN permissions to propagate through release.yml → publish.yml → publish-webapp.yml to the actions/attest-build-provenance step.

.github/workflows/publish-webapp.yml (5)

3-7: LGTM — correct permission addition at the workflow level.

---

62-66: LGTM — commit-SHA tag is correctly constructed and scoped.

---

73-88: LGTM — RFC 3339 timestamp format is correct for the OCI created label.

---

117-126: ⚡ Quick win

The pinned SHA a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 correctly corresponds to the v4.1.0 tag.

---

97-115: ⚡ Quick win

The concern about depot/build-push-action not exposing a digest output is unfounded. The action (v1.17.0) does expose a digest output as a String type, matching the interface of docker/build-push-action. The attestation step will receive a valid digest and function correctly.

			> Likely an incorrect or invalid review comment.