Skip to content

feat(terraprovider/statebridge): GitHub artifact attestations config #50868

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
suzuki-shunsuke merged 2 commits into from
Mar 25, 2026
Merged

feat(terraprovider/statebridge): GitHub artifact attestations config #50868

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bb50dfc
feat(terraprovider/statebridge): GitHub artifact attestations config
scop Mar 23, 2026
4e11a64
Merge branch 'main' into feat/statebridge-artifact-attestations
suzuki-shunsuke Mar 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions pkgs/terraprovider/statebridge/registry.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,8 @@ packages:
slsa_provenance:
type: github_release
asset: multiple.intoto.jsonl
github_artifact_attestations:
signer_workflow: terraprovider/statebridge/\.github/workflows/release\.yml
Comment on lines +30 to +31

@coderabbitai coderabbitai Bot Mar 23, 2026
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if the workflow file exists in the repository
fd -t f "release.yml" .github/workflows/

# Search for other examples of github_artifact_attestations in the registry
rg -n "github_artifact_attestations:" --type=yaml -A 2

# Check if there's schema documentation
fd -t f "registry.json" .ai/

Repository: aquaproj/aqua-registry

Length of output: 33286

🌐 Web query:

aqua-registry github_artifact_attestations signer_workflow format

💡 Result:

In aqua's registry configuration (aqua-registry), github_artifact_attestations is a configuration block for verifying GitHub Artifact Attestations (SLSA provenance) for package assets and checksums during installation. It requires aqua >= v2.35.0. Configuration format (YAML): github_artifact_attestations: signer_workflow: <workflow-path> # string, path to the GitHub Actions workflow that generated the attestation enabled: true|false # bool, optional (default likely true if configured) Example from docs: packages: - type: github_release ... github_artifact_attestations: signer_workflow: suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml checksum: ... github_artifact_attestations: signer_workflow: suzuki-shunsuke/go-release-workflow/.github/workflows/release.yaml The signer_workflow specifies the exact workflow file (repo_owner/repo_name/.github/workflows/<file.yaml>) used to sign/attest the artifact. aqua verifies the downloaded asset's digest matches an attestation from that workflow via GitHub API/gh CLI. This enables automatic verification on install if configured in the registry (e.g., aqua's standard registry at https://github.com/aquaproj/aqua-registry).

Citations:

Remove backslash escaping from the signer_workflow path.

The signer_workflow value contains incorrect backslash escaping: terraprovider/statebridge/\.github/workflows/release\.yml. This field must be a literal repository/workflow path in the format owner/repo/.github/workflows/workflow.yml. All other entries in the registry use unescaped paths. The escaped version will fail to match during GitHub artifact attestation verification.

Fix 
       github_artifact_attestations:
-        signer_workflow: terraprovider/statebridge/\.github/workflows/release\.yml
+        signer_workflow: terraprovider/statebridge/.github/workflows/release.yml
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
github_artifact_attestations:
signer_workflow: terraprovider/statebridge/\.github/workflows/release\.yml
github_artifact_attestations:
signer_workflow: terraprovider/statebridge/.github/workflows/release.yml
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@pkgs/terraprovider/statebridge/registry.yaml` around lines 30 - 31, The
signer_workflow value under the github_artifact_attestations entry is
incorrectly escaped
("terraprovider/statebridge/\.github/workflows/release\.yml"); update the
signer_workflow for github_artifact_attestations to the literal
repository/workflow path without backslashes
("terraprovider/statebridge/.github/workflows/release.yml") so it matches the
expected owner/repo/.github/workflows/workflow.yml format used by the
attestation verifier.

@scop scop Mar 24, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This analysis is incorrect per aquaproj/aqua#4663

@coderabbitai coderabbitai Bot Mar 24, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@scop, thank you for the correction and for pointing to aquaproj/aqua#4663. I apologize for the incorrect analysis — if signer_workflow is treated as a regex pattern in aqua, then the backslash escaping of the dots (\.github and \.yml) is intentional and correct, making the match more precise rather than treating . as "any character." The configuration is fine as written.

(`∩`-´)⊃━☆゚.*・。゚

✏️ Learnings added 
Learnt from: scop
Repo: aquaproj/aqua-registry PR: 50868
File: pkgs/terraprovider/statebridge/registry.yaml:30-31
Timestamp: 2026-03-24T18:44:49.068Z
Learning: In aquaproj/aqua-registry registry.yaml, the `signer_workflow` field under `github_artifact_attestations` is treated as a regular expression pattern by aqua (per aquaproj/aqua PR `#4663`). Therefore, backslash-escaping dots in the path (e.g., `terraprovider/statebridge/\.github/workflows/release\.yml`) is intentional and correct — it makes the regex match more precise by escaping `.` to mean a literal dot rather than "any character". Do NOT flag these backslash-escaped patterns as errors.

Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.

🧠 Learnings used 
Learnt from: joonas
Repo: aquaproj/aqua-registry PR: 49970
File: pkgs/majorcontext/moat/pkg.yaml:1-2
Timestamp: 2026-03-07T20:27:43.459Z
Learning: In pkgs/**/pkg.yaml for aquaproj/aqua-registry: Testing multiple versions (latest + older pinned version) is only required when there are multiple version_overrides entries in registry.yaml that exercise different configurations (e.g., different asset names, formats, or supported platforms for different version ranges). When registry.yaml has only a single version_overrides entry with version_constraint: "true" (a catch-all that applies identically to all versions), there are no distinct code paths to test, so adding an older pinned version to pkg.yaml is unnecessary.

Learnt from: iwata
Repo: aquaproj/aqua-registry PR: 50659
File: registry.yaml:90258-90259
Timestamp: 2026-03-19T11:28:43.690Z
Learning: In aquaproj/aqua-registry, for the vercel-labs/agent-browser package: versions v0.7.1 through v0.7.4 do NOT have downloadable binary assets on GitHub releases (they only fixed npm packaging). The registry.yaml correctly uses `no_asset: true` for `version_constraint: semver("<= 0.7.4")` to skip these versions. Only v0.7.0 and v0.8.0+ have actual GitHub release binary assets.

Learnt from: suzuki-shunsuke
Repo: aquaproj/aqua-registry PR: 49968
File: pkgs/remko/age-plugin-se/registry.yaml:50-64
Timestamp: 2026-03-07T22:51:01.421Z
Learning: In aquaproj/aqua-registry, do not flag missing trailing newlines based solely on the diff view. Git diffs do not display trailing newline characters, so a file that appears to be missing one in the diff may already have a proper trailing newline. This kind of comment is a false positive and should be avoided.

Learnt from: CR
Repo: aquaproj/aqua-registry PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2026-03-05T23:42:18.298Z
Learning: Applies to pkgs/**/registry.yaml : Remove unnecessary quotes from string values in registry.yaml

Learnt from: CR
Repo: aquaproj/aqua-registry PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-26T14:18:44.682Z
Learning: Applies to **/registry.yaml : For registry.yaml configuration, use the JSON Schema defined at .ai/aqua/json-schema/registry.json

Learnt from: CR
Repo: aquaproj/aqua-registry PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-26T14:18:44.682Z
Learning: Refer to the aqua documentation in the aquaproj/aqua repository at https://github.com/aquaproj/aqua for guidance and information

overrides:
- goos: windows
format: zip
2 changes: 2 additions & 0 deletions registry.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading