fix(release): correct BCR publish attestation flow (adopt release_ruleset)#504
Merged
Conversation
…eset)
The BCR publish has never landed: publish-to-bcr (attest: true) fetches the
source archive's provenance attestation at <source.template.json url>.intoto.jsonl
and 404s, because:
- .bcr/source.template.json pointed at the GitHub auto archive
(/archive/refs/tags/{TAG}.tar.gz), but the attestation was produced for a
bespoke archive and stored in GitHub's attestation API (not a release asset);
- release.yml pinned publish-to-bcr@v6, which is not a real release tag
(latest is v1.4.x).
Adopt the canonical bazel-contrib flow:
- .github/workflows/release_prep.sh builds rules_wasm_component-<tag>.tar.gz
with internal prefix rules_wasm_component-<version>/ — matching the template.
- release.yml = release_ruleset.yaml@v7.7.7 (draft: true; attests release_files
and uploads <archive>.tar.gz.intoto.jsonl) -> publish-to-bcr@v1.4.1 (same run)
-> finalize (un-draft).
- source.template.json url -> the attested release asset
(releases/download/{TAG}/rules_wasm_component-{TAG}.tar.gz).
- publish-to-bcr.yml pinned v1.4.0 -> v1.4.1 for consistency.
Verified locally: release_prep.sh v1.1.0 emits rules_wasm_component-v1.1.0.tar.gz
with prefix rules_wasm_component-1.1.0/ (exactly basename(template.url) and
strip_prefix). Full workflow validation requires an actual release cut.
Note: release_prep.sh is a deliberate exception to the no-shell policy — the
release_ruleset reusable workflow hard-codes this path; it is release CI tooling,
not build logic.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
The BCR publish has never landed. The v1.1.0 release surfaced why: the
publish_to_bcrjob failed with a 404 fetching the source archive's provenance attestation.Root cause
publish-to-bcr(attest: true) constructs the attestation URL as<source.template.json .url>.intoto.jsonland downloads it. It 404'd because:.bcr/source.template.jsonpointed at the GitHub auto archive (/archive/refs/tags/{TAG}.tar.gz), but the attestation was produced for a bespoke archive and stored in GitHub's attestation API — never uploaded as<that-url>.intoto.jsonl.release.ymlpinnedpublish-to-bcr@v6, which isn't a real release tag (latest isv1.4.x).Fix — adopt the canonical
bazel-contribflow (perrules-template).github/workflows/release_prep.sh(new): buildsrules_wasm_component-<tag>.tar.gzwith internal prefixrules_wasm_component-<version>/.release.ymlrewritten:release_ruleset.yaml@v7.7.7(draft: true; attestsrelease_files, uploads<archive>.tar.gz.intoto.jsonl) →publish-to-bcr@v1.4.1(same run, finds the attestation) →finalize(un-drafts)..bcr/source.template.jsonurl→ the attested release asset:releases/download/{TAG}/rules_wasm_component-{TAG}.tar.gz.publish-to-bcr.ymlpinv1.4.0→v1.4.1for consistency.Verification
✅ Local:
release_prep.sh v1.1.0emitsrules_wasm_component-v1.1.0.tar.gzwith prefixrules_wasm_component-1.1.0/— exactlybasename(template.url)+strip_prefix, so the attestation will be where publish-to-bcr looks. JSON/YAML valid.⏳ Full validation requires an actual release cut (workflow orchestration can't be run locally). Suggested: merge, then cut v1.1.1 through the corrected flow to land the first BCR entry. v1.1.0 itself is already published on GitHub (non-draft) so it won't retro-publish via the draft flow.
Notes
release_prep.shis a deliberate exception to the repo no-shell policy —release_rulesethard-codes this path; it's release CI tooling, not build logic.release_prep.sh(bzlmod snippet) rather than git-cliff, and the archive is built viagit archive(reproducible) rather than rsync.🤖 Generated with Claude Code