feat(terraprovider/statebridge): GitHub artifact attestations config

[scop]

https://github.com/terraprovider/statebridge/attestations

Check List

• Read CONTRIBUTING.md
  • ⚠️ Avoid force push
  • ⚠️ Use argd s command when adding new packages
• Install and execute the package and confirm if the package works well

Summary by CodeRabbit

• Chores
  • Added support for GitHub artifact attestations to release configuration, including a configured signer workflow to attest released artifacts.
  • Enhances supply-chain security alongside existing SLSA provenance, checksum, and signing/cosign verifications for stronger artifact integrity assurance.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8e3b20dd-1fa1-4ef7-870d-952c6f835d91

📥 Commits

Reviewing files that changed from the base of the PR and between d9402b7 and bb50dfc.

📒 Files selected for processing (2)

• pkgs/terraprovider/statebridge/registry.yaml
• registry.yaml

✅ Files skipped from review due to trivial changes (1)

• registry.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• pkgs/terraprovider/statebridge/registry.yaml

---

📝 Walkthrough

Walkthrough

Added a github_artifact_attestations block with signer_workflow to the terraprovider/statebridge package entry in registry.yaml, extending release metadata for artifact attestations without changing other package configuration or provenance settings.

Changes

Cohort / File(s)	Summary
GitHub Artifact Attestations Configuration pkgs/terraprovider/statebridge/registry.yaml	Added github_artifact_attestations under github_release with signer_workflow: terraprovider/statebridge/.github/workflows/release.yml. No other package fields changed.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• feat(j178/prek): GitHub immutable release config #50075: Adds a github_artifact_attestations block with signer_workflow in a package registry YAML (same config element).
• feat(UpCloudLtd/upcloud-cli): attestation config updates #50573: Updates package registry entries to include github_artifact_attestations.signer_workflow.
• feat: add terraprovider/statebridge #50755: Related change that added the terraprovider/statebridge registry file; this PR extends it with github_artifact_attestations.

Suggested labels

enhancement

Poem

🐰✨
I nibble on YAML under moonlight's glow,
A signer_workflow set, attestation in tow,
Artifacts hop through checks with care,
Signatures snug in the release lair,
I twitch my nose—trust seeds we sow.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description includes only a reference link and an unchecked template checklist, lacking substantive explanation of the changes and their rationale.	Add a detailed description explaining what GitHub artifact attestations are being configured, why they are needed, and how they integrate with the package's release workflow.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding GitHub artifact attestations configuration to the terraprovider/statebridge package.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkgs/terraprovider/statebridge/registry.yaml`:
- Around line 30-31: The signer_workflow value under the
github_artifact_attestations entry is incorrectly escaped
("terraprovider/statebridge/\.github/workflows/release\.yml"); update the
signer_workflow for github_artifact_attestations to the literal
repository/workflow path without backslashes
("terraprovider/statebridge/.github/workflows/release.yml") so it matches the
expected owner/repo/.github/workflows/workflow.yml format used by the
attestation verifier.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 3a650062-41f6-4029-8e79-c1ab8de04cae

📥 Commits

Reviewing files that changed from the base of the PR and between 840ac15 and d9402b7.

📒 Files selected for processing (2)

• pkgs/terraprovider/statebridge/registry.yaml
• registry.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the workflow file exists in the repository
fd -t f "release.yml" .github/workflows/

# Search for other examples of github_artifact_attestations in the registry
rg -n "github_artifact_attestations:" --type=yaml -A 2

# Check if there's schema documentation
fd -t f "registry.json" .ai/

Repository: aquaproj/aqua-registry

Length of output: 33286

---

🌐 Web query:

aqua-registry github_artifact_attestations signer_workflow format

💡 Result:

In aqua's registry configuration (aqua-registry), github_artifact_attestations is a configuration block for verifying GitHub Artifact Attestations (SLSA provenance) for package assets and checksums during installation. It requires aqua >= v2.35.0. Configuration format (YAML): github_artifact_attestations: signer_workflow: <workflow-path> # string, path to the GitHub Actions workflow that generated the attestation enabled: true|false # bool, optional (default likely true if configured) Example from docs: packages: - type: github_release ... github_artifact_attestations: signer_workflow: suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml checksum: ... github_artifact_attestations: signer_workflow: suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml The signer_workflow specifies the exact workflow file (repo_owner/repo_name/.github/workflows/<file.yaml>) used to sign/attest the artifact. aqua verifies the downloaded asset's digest matches an attestation from that workflow via GitHub API/gh CLI. This enables automatic verification on install if configured in the registry (e.g., aqua's standard registry at https://github.com/aquaproj/aqua-registry).

Citations:

• 1: https://aquaproj.github.io/docs/reference/registry-config/github-artifact-attestations/
• 2: https://aquaproj.github.io/docs/reference/security/github-artifact-attestations
• 3: https://aquaproj.github.io/docs/reference/registry-config/
• 4: https://aquaproj.github.io/docs/reference/registry-config/github-artifact-attestations

---

Remove backslash escaping from the signer_workflow path.

The signer_workflow value contains incorrect backslash escaping: terraprovider/statebridge/\.github/workflows/release\.yml. This field must be a literal repository/workflow path in the format owner/repo/.github/workflows/workflow.yml. All other entries in the registry use unescaped paths. The escaped version will fail to match during GitHub artifact attestation verification.

Fix

       github_artifact_attestations:
-        signer_workflow: terraprovider/statebridge/\.github/workflows/release\.yml
+        signer_workflow: terraprovider/statebridge/.github/workflows/release.yml

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	github_artifact_attestations:
	signer_workflow: terraprovider/statebridge/\.github/workflows/release\.yml
	github_artifact_attestations:
	signer_workflow: terraprovider/statebridge/.github/workflows/release.yml

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkgs/terraprovider/statebridge/registry.yaml` around lines 30 - 31, The
signer_workflow value under the github_artifact_attestations entry is
incorrectly escaped
("terraprovider/statebridge/\.github/workflows/release\.yml"); update the
signer_workflow for github_artifact_attestations to the literal
repository/workflow path without backslashes
("terraprovider/statebridge/.github/workflows/release.yml") so it matches the
expected owner/repo/.github/workflows/workflow.yml format used by the
attestation verifier.

[scop]

This analysis is incorrect per aquaproj/aqua#4663

[coderabbitai]

@scop, thank you for the correction and for pointing to aquaproj/aqua#4663. I apologize for the incorrect analysis — if signer_workflow is treated as a regex pattern in aqua, then the backslash escaping of the dots (\.github and \.yml) is intentional and correct, making the match more precise rather than treating . as "any character." The configuration is fine as written.

(`∩｀-´)⊃━☆ﾟ.*･｡ﾟ

---

✏️ Learnings added

Learnt from: scop
Repo: aquaproj/aqua-registry PR: 50868
File: pkgs/terraprovider/statebridge/registry.yaml:30-31
Timestamp: 2026-03-24T18:44:49.068Z
Learning: In aquaproj/aqua-registry registry.yaml, the `signer_workflow` field under `github_artifact_attestations` is treated as a regular expression pattern by aqua (per aquaproj/aqua PR `#4663`). Therefore, backslash-escaping dots in the path (e.g., `terraprovider/statebridge/\.github/workflows/release\.yml`) is intentional and correct — it makes the regex match more precise by escaping `.` to mean a literal dot rather than "any character". Do NOT flag these backslash-escaped patterns as errors.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

---

🧠 Learnings used

Learnt from: joonas
Repo: aquaproj/aqua-registry PR: 49970
File: pkgs/majorcontext/moat/pkg.yaml:1-2
Timestamp: 2026-03-07T20:27:43.459Z
Learning: In pkgs/**/pkg.yaml for aquaproj/aqua-registry: Testing multiple versions (latest + older pinned version) is only required when there are multiple version_overrides entries in registry.yaml that exercise different configurations (e.g., different asset names, formats, or supported platforms for different version ranges). When registry.yaml has only a single version_overrides entry with version_constraint: "true" (a catch-all that applies identically to all versions), there are no distinct code paths to test, so adding an older pinned version to pkg.yaml is unnecessary.

---

Learnt from: iwata
Repo: aquaproj/aqua-registry PR: 50659
File: registry.yaml:90258-90259
Timestamp: 2026-03-19T11:28:43.690Z
Learning: In aquaproj/aqua-registry, for the vercel-labs/agent-browser package: versions v0.7.1 through v0.7.4 do NOT have downloadable binary assets on GitHub releases (they only fixed npm packaging). The registry.yaml correctly uses `no_asset: true` for `version_constraint: semver("<= 0.7.4")` to skip these versions. Only v0.7.0 and v0.8.0+ have actual GitHub release binary assets.

---

Learnt from: suzuki-shunsuke
Repo: aquaproj/aqua-registry PR: 49968
File: pkgs/remko/age-plugin-se/registry.yaml:50-64
Timestamp: 2026-03-07T22:51:01.421Z
Learning: In aquaproj/aqua-registry, do not flag missing trailing newlines based solely on the diff view. Git diffs do not display trailing newline characters, so a file that appears to be missing one in the diff may already have a proper trailing newline. This kind of comment is a false positive and should be avoided.

---

Learnt from: CR
Repo: aquaproj/aqua-registry PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-03-05T23:42:18.298Z
Learning: Applies to pkgs/**/registry.yaml : Remove unnecessary quotes from string values in registry.yaml

---

Learnt from: CR
Repo: aquaproj/aqua-registry PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-26T14:18:44.682Z
Learning: Applies to **/registry.yaml : For registry.yaml configuration, use the JSON Schema defined at .ai/aqua/json-schema/registry.json

---

Learnt from: CR
Repo: aquaproj/aqua-registry PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-26T14:18:44.682Z
Learning: Refer to the aqua documentation in the aquaproj/aqua repository at https://github.com/aquaproj/aqua for guidance and information

[scop]

aquaproj/registry-action#977 needed to fix CI