feat(updatecli/updatecli): GitHub artifact attestations config

[scop]

https://github.com/updatecli/updatecli/attestations

Check List

• Read CONTRIBUTING.md
  • ⚠️ Avoid force push
  • ⚠️ Use argd s command when adding new packages
• Install and execute the package and confirm if the package works well

Summary by CodeRabbit

• New Features
  • Added support for updatecli v0.114.0.
  • Enhanced package verification with checksum validation and cosign signature verification for improved security.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR adds version-constrained package registry entries for updatecli/updatecli, including checksum verification via checksums.txt with cosign signature validation and GitHub artifact attestations to establish release integrity across multiple registry files.

Changes

Cohort / File(s)	Summary
Package Version Registration pkgs/updatecli/updatecli/pkg.yaml	Added explicit updatecli/updatecli entry pinned to version v0.114.0.
Registry Configuration with Integrity Verification pkgs/updatecli/updatecli/registry.yaml, registry.yaml	Added version-constrained package entries (semver("<= 0.114.0")) defining asset naming patterns, tar.gz format with OS/arch replacements, and Windows zip overrides. Configured checksum validation from checksums.txt with cosign signature bundle verification. Added github_artifact_attestations with signer_workflow referencing the release workflow for attestation verification.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• aquaproj/aqua-registry#50113: Adds version-constrained registry entries with tar.gz assets, checksum/cosign verification, Windows zip overrides, and GitHub artifact attestations.
• aquaproj/aqua-registry#49707: Introduces semver-constrained package overrides with platform-specific asset rules and github_artifact_attestations configurations.
• aquaproj/aqua-registry#50573: Adds semver-constrained registry blocks with checksum verification and GitHub artifact attestation metadata to package registry files.

Suggested labels

enhancement

Poem

🐰 A rabbit hops through registries neat,
Adding versions, checksums complete,
Cosign bundles seal the way,
Updatecli's verified today! ✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description is incomplete; it only provides a reference link and unchecked checklist items without explaining the actual changes, rationale, or implementation details.	Add a clear explanation of what GitHub artifact attestations were configured, why they were added, and how they benefit security or verification for the updatecli package.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding GitHub artifact attestations configuration for the updatecli/updatecli package.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkgs/updatecli/updatecli/registry.yaml`:
- Around line 139-140: The github_artifact_attestations signer_workflow value is
intentionally a regex with escaped dots; leave the github_artifact_attestations
-> signer_workflow entry (the string
updatecli/updatecli/\.github/workflows/release\.yaml) unchanged so the pattern
matches literal dots rather than any-character wildcards.

In `@registry.yaml`:
- Around line 89553-89576: The registry entry for updatecli incorrectly adds a
github_artifact_attestations verification block (associated with the asset
"updatecli_{{.OS}}_{{.Arch}}.{{.Format}}" and version_constraint semver("<=
0.114.0")), but updatecli does not produce GitHub artifact attestations; remove
the entire github_artifact_attestations block from this updatecli configuration
(or replace it with a comment and escalate to the updatecli team to confirm
attestation support) so registry lookups no longer attempt to verify
non‑existent attestations.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 73208003-ca45-4d14-a669-7f8df216105d

📥 Commits

Reviewing files that changed from the base of the PR and between 7897362 and 8d9484f.

📒 Files selected for processing (3)

• pkgs/updatecli/updatecli/pkg.yaml
• pkgs/updatecli/updatecli/registry.yaml
• registry.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify artifact attestations are available for updatecli/updatecli

gh attestation verify --help >/dev/null 2>&1 || { echo "gh attestation not available"; exit 0; }

# Check if attestations page exists (referenced in PR description)
curl -sI "https://github.com/updatecli/updatecli/attestations" | head -1

Repository: aquaproj/aqua-registry

Length of output: 77

---

🏁 Script executed:

# Check if tfcmt registry.yaml exists and examine line 103 area
fd -t f "tfcmt" -p "registry.yaml" | head -5

Repository: aquaproj/aqua-registry

Length of output: 166

---

🏁 Script executed:

# Verify updatecli registry.yaml content at lines 139-140
fd -t f "updatecli" -p "registry.yaml" -x cat -n {} | sed -n '135,145p'

Repository: aquaproj/aqua-registry

Length of output: 166

---

🏁 Script executed:

# Find updatecli registry.yaml and check lines 139-140
find . -name registry.yaml | grep updatecli | head -1

Repository: aquaproj/aqua-registry

Length of output: 106

---

🏁 Script executed:

# Find tfcmt registry.yaml and check around line 103
find . -name registry.yaml | grep tfcmt | head -1

Repository: aquaproj/aqua-registry

Length of output: 109

---

🏁 Script executed:

# Find suzuki-shunsuke/tfcmt registry.yaml
find . -path "*suzuki-shunsuke*tfcmt*registry.yaml" | head -1

Repository: aquaproj/aqua-registry

Length of output: 108

---

🏁 Script executed:

# Verify updatecli registry.yaml content at lines 139-140
cat -n ./pkgs/updatecli/updatecli/registry.yaml | sed -n '135,145p'

Repository: aquaproj/aqua-registry

Length of output: 354

---

🏁 Script executed:

# Verify tfcmt registry.yaml content at lines 100-110 to see the pattern referenced
cat -n ./pkgs/suzuki-shunsuke/tfcmt/registry.yaml | sed -n '100,110p'

Repository: aquaproj/aqua-registry

Length of output: 48

---

🏁 Script executed:

# Check total lines in tfcmt registry.yaml
wc -l ./pkgs/suzuki-shunsuke/tfcmt/registry.yaml

Repository: aquaproj/aqua-registry

Length of output: 111

---

🏁 Script executed:

# Search for github_artifact_attestations pattern in tfcmt registry.yaml
grep -n "github_artifact_attestations" ./pkgs/suzuki-shunsuke/tfcmt/registry.yaml

Repository: aquaproj/aqua-registry

Length of output: 106

---

🏁 Script executed:

# Check the github_artifact_attestations section in tfcmt (lines 88-89)
cat -n ./pkgs/suzuki-shunsuke/tfcmt/registry.yaml | sed -n '88,89p'

Repository: aquaproj/aqua-registry

Length of output: 211

---

GitHub artifact attestations configuration is correct.

The signer_workflow pattern with backslash-escaped dots (\.) is intentional and correct—aqua treats this field as a regular expression, so escaping the dots ensures precise literal matching rather than "any character" matching.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkgs/updatecli/updatecli/registry.yaml` around lines 139 - 140, The
github_artifact_attestations signer_workflow value is intentionally a regex with
escaped dots; leave the github_artifact_attestations -> signer_workflow entry
(the string updatecli/updatecli/\.github/workflows/release\.yaml) unchanged so
the pattern matches literal dots rather than any-character wildcards.

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check the updatecli attestations page referenced in PR description
# and verify which versions have attestations available

# Check recent releases to understand attestation availability
gh api repos/updatecli/updatecli/releases --jq '.[0:5] | .[] | {tag_name, published_at}'

# Check if attestations exist for v0.114.0 and a newer version
echo "---"
echo "Checking attestations for v0.114.0:"
gh attestation verify --owner updatecli --repo updatecli --format json 2>&1 | head -20 || echo "No attestation check available via CLI"

Repository: aquaproj/aqua-registry

Length of output: 2111

---

🏁 Script executed:

# First, let's check the registry.yaml file around the specified lines
sed -n '89553,89576p' registry.yaml | cat -n

echo "---"

# Also check the second hunk mentioned (around 89601-89602)
sed -n '89595,89610p' registry.yaml | cat -n

Repository: aquaproj/aqua-registry

Length of output: 1847

---

🌐 Web query:

updatecli GitHub artifact attestations support release history

💡 Result:

Updatecli does not support GitHub artifact attestations. No mentions of artifact attestations, SLSA provenance, Sigstore, or related terms like "attest-build-provenance" appear in Updatecli's release notes (6,7,11,14), changelogs, documentation (50,51,52,54,62), GitHub repository (13), workflows, or searches across its ecosystem. Updatecli focuses on declarative dependency updates via pipelines with sources, conditions, targets, and actions like GitHub pull requests (54), but lacks integration with GitHub's artifact attestation features introduced in 2024 (1,4,58,64). Other tools like GoReleaser (5), GitHub CLI (1,2,3), and Trivy (61) explicitly added support, but Updatecli has no equivalent in releases up to v0.114.0 (2026-02-24,13) or workflows.

Citations:

• 1: Update GitHub CLI release process to generate artifact attestations cli/cli#9041
• 2: Support artifact verification using attestations stored in the image registry in gh attestation verify command cli/cli#9369
• 3: https://cli.github.com/manual/gh_attestation_verify
• 4: https://docs.github.com/actions/security-for-github-actions/using-artifact-attestations
• 5: Support Github Artifact Attestations goreleaser/goreleaser#4852
• 6: https://github.com/updatecli/updatecli/releases
• 7: https://newreleases.io/project/github/updatecli/updatecli/release/v0.113.0
• 8: https://www.updatecli.io/blog/updatecli-v0.110.0-released-github-search-scm-git-branch-cleanup-dockerfile-matching-and-more/
• 9: https://www.updatecli.io/changelogs/updatecli/changelogs/v0.92.0/
• 10: https://github.com/updatecli/updatecli
• 11: https://www.updatecli.io/changelogs/updatecli/changelogs/v0.81.0/
• 12: https://www.updatecli.io/docs/plugins/scm/githubsearch/
• 13: https://www.updatecli.io/docs/plugins/scm/github/
• 14: https://www.updatecli.io/docs/core/configuration/
• 15: https://www.updatecli.io/docs/core/action/
• 16: https://docs.github.com/en/actions/how-tos/security-for-github-actions/using-artifact-attestations/using-artifact-attestations-to-establish-provenance-for-builds
• 17: feat(ci): add build provenance attestations to release workflow aquasecurity/trivy#10343
• 18: https://www.updatecli.io/docs/automate/github_action/
• 19: https://github.com/updatecli/updatecli-action/releases
• 20: https://docs.github.com/actions/security-guides/using-artifact-attestations-to-establish-provenance-for-builds

---

Remove github_artifact_attestations from updatecli configuration—updatecli does not produce artifact attestations.

The registry change adds github_artifact_attestations verification for updatecli based on the assumption that attestations are available for versions > 0.114.0. However, updatecli does not support GitHub artifact attestations at any version. Searching updatecli's releases, changelogs, documentation, and GitHub workflows shows no artifact attestation support, SLSA provenance, or Sigstore integration. The configuration attempting to verify non-existent attestations will cause registry lookups to fail.

Remove the github_artifact_attestations block or verify with the updatecli team that artifact attestation support has been added to their release workflow.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@registry.yaml` around lines 89553 - 89576, The registry entry for updatecli
incorrectly adds a github_artifact_attestations verification block (associated
with the asset "updatecli_{{.OS}}_{{.Arch}}.{{.Format}}" and version_constraint
semver("<= 0.114.0")), but updatecli does not produce GitHub artifact
attestations; remove the entire github_artifact_attestations block from this
updatecli configuration (or replace it with a comment and escalate to the
updatecli team to confirm attestation support) so registry lookups no longer
attempt to verify non‑existent attestations.

[suzuki-shunsuke]

Thank you!