Skip to content

ci: GHCR commit-SHA tag, OCI labels, and build provenance #3528

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
myftija wants to merge 3 commits into
base: main
Choose a base branch
from
+29 −0
Open

ci: GHCR commit-SHA tag, OCI labels, and build provenance #3528

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
6752afd
ci: GHCR commit-SHA tag, OCI labels, and build provenance
myftija May 5, 2026
93eb75c
ci: grant attestations:write on publish-webapp reusable-workflow call
myftija May 5, 2026
bd152be
ci: don't block releases on attestation step + grant scope on release…
myftija May 5, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 21 additions & 0 deletions .github/workflows/publish-webapp.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ permissions:
contents: read
packages: write
id-token: write
attestations: write

on:
workflow_call:
Expand Down Expand Up @@ -58,6 +59,12 @@ jobs:
image_tags=$image_tags,$ref_without_tag:v4-beta
fi

# when pushing the mutable main tag, also push an immutable-by-convention
# full-commit-sha tag so a commit can be resolved to a specific digest
if [[ "${STEPS_GET_TAG_OUTPUTS_TAG}" == "main" ]]; then
image_tags=$image_tags,$ref_without_tag:${GITHUB_SHA}
fi

echo "image_tags=${image_tags}" >> "$GITHUB_OUTPUT"
env:
STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
Expand All @@ -74,6 +81,7 @@ jobs:
echo "BUILD_GIT_SHA=${GITHUB_SHA}"
echo "BUILD_GIT_REF_NAME=${GITHUB_REF_NAME}"
echo "BUILD_TIMESTAMP_SECONDS=$(date +%s)"
echo "BUILD_TIMESTAMP_RFC3339=$(date -u +%Y-%m-%dT%H:%M:%SZ)"
} >> "$GITHUB_OUTPUT"
env:
STEPS_GET_TAG_OUTPUTS_TAG: ${{ steps.get_tag.outputs.tag }}
Expand All @@ -87,6 +95,7 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }}

- name: 🐳 Build image and push to GitHub Container Registry
id: build_push
uses: depot/build-push-action@5f3b3c2e5a00f0093de47f657aeaefcedff27d18 # v1.17.0
with:
file: ./docker/Dockerfile
Expand All @@ -98,8 +107,20 @@ jobs:
BUILD_GIT_SHA=${{ steps.set_build_info.outputs.BUILD_GIT_SHA }}
BUILD_GIT_REF_NAME=${{ steps.set_build_info.outputs.BUILD_GIT_REF_NAME }}
BUILD_TIMESTAMP_SECONDS=${{ steps.set_build_info.outputs.BUILD_TIMESTAMP_SECONDS }}
BUILD_TIMESTAMP_RFC3339=${{ steps.set_build_info.outputs.BUILD_TIMESTAMP_RFC3339 }}
SENTRY_RELEASE=${{ steps.set_build_info.outputs.BUILD_GIT_SHA }}
SENTRY_ORG=triggerdev
SENTRY_PROJECT=trigger-cloud
secrets: |
sentry_auth_token=${{ secrets.SENTRY_AUTH_TOKEN }}

- name: 🪪 Attest build provenance
# Image is already pushed by this point — don't fail releases (and the
# downstream publish-helm job) on a Sigstore/GHCR-referrer hiccup. Real
# config errors still surface as a step warning in the workflow run.
continue-on-error: true
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
with:
subject-name: ghcr.io/triggerdotdev/trigger.dev
subject-digest: ${{ steps.build_push.outputs.digest }}
push-to-registry: true
Comment thread
devin-ai-integration[bot] marked this conversation as resolved.
Comment thread
devin-ai-integration[bot] marked this conversation as resolved.
Comment on lines +117 to +126
Copy link
Copy Markdown
Contributor

@devin-ai-integration devin-ai-integration Bot May 5, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📝 Info: Attestation step uses continue-on-error to avoid blocking releases

The continue-on-error: true on the attestation step (.github/workflows/publish-webapp.yml:121) means that Sigstore/GHCR failures won't block the downstream publish-helm job. This is an intentional trade-off: the image is already pushed by this point, so blocking releases on attestation infrastructure issues would be worse than a missing attestation. However, this also means genuine configuration errors (e.g., wrong subject-name, missing permissions) will only show as warnings rather than failures. The comment in the workflow acknowledges this.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.

1 change: 1 addition & 0 deletions .github/workflows/publish.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@ jobs:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/publish-webapp.yml
secrets:
SENTRY_AUTH_TOKEN: ${{ secrets.SENTRY_AUTH_TOKEN }}
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,7 @@ jobs:
contents: read
packages: write
id-token: write
attestations: write
uses: ./.github/workflows/publish.yml
secrets:
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
Expand Down
6 changes: 6 additions & 0 deletions docker/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,11 +98,17 @@ ARG BUILD_APP_VERSION
ARG BUILD_GIT_SHA
ARG BUILD_GIT_REF_NAME
ARG BUILD_TIMESTAMP_SECONDS
ARG BUILD_TIMESTAMP_RFC3339
ENV BUILD_APP_VERSION=${BUILD_APP_VERSION} \
BUILD_GIT_SHA=${BUILD_GIT_SHA} \
BUILD_GIT_REF_NAME=${BUILD_GIT_REF_NAME} \
BUILD_TIMESTAMP_SECONDS=${BUILD_TIMESTAMP_SECONDS}

LABEL org.opencontainers.image.source="https://github.com/triggerdotdev/trigger.dev" \
org.opencontainers.image.revision="${BUILD_GIT_SHA}" \
org.opencontainers.image.version="${BUILD_APP_VERSION}" \
org.opencontainers.image.created="${BUILD_TIMESTAMP_RFC3339}"

EXPOSE 3000

# Add global pnpm shims and install pnpm during build (root user)
Expand Down
Loading