Skip to content

feat(updatecli/updatecli): GitHub artifact attestations config #51053

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
suzuki-shunsuke merged 1 commit into from
Mar 27, 2026
Merged

feat(updatecli/updatecli): GitHub artifact attestations config #51053

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions pkgs/updatecli/updatecli/pkg.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,7 @@
packages:
- name: updatecli/updatecli@v0.115.0
- name: updatecli/updatecli
version: v0.114.0
- name: updatecli/updatecli
version: v0.110.3
- name: updatecli/updatecli
Expand Down
26 changes: 26 additions & 0 deletions pkgs/updatecli/updatecli/registry.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,30 @@ packages:
overrides:
- goos: windows
format: zip
- version_constraint: semver("<= 0.114.0")
asset: updatecli_{{.OS}}_{{.Arch}}.{{.Format}}
format: tar.gz
replacements:
amd64: x86_64
darwin: Darwin
linux: Linux
windows: Windows
checksum:
type: github_release
asset: checksums.txt
algorithm: sha256
cosign:
bundle:
type: github_release
asset: checksums.txt.sig
opts:
- --certificate-identity
- "https://github.com/updatecli/updatecli/.github/workflows/release.yaml@refs/tags/{{.Version}}"
- --certificate-oidc-issuer
- https://token.actions.githubusercontent.com
overrides:
- goos: windows
format: zip
- version_constraint: "true"
asset: updatecli_{{.OS}}_{{.Arch}}.{{.Format}}
format: tar.gz
Expand All @@ -112,3 +136,5 @@ packages:
overrides:
- goos: windows
format: zip
github_artifact_attestations:
signer_workflow: updatecli/updatecli/\.github/workflows/release\.yaml
Comment on lines +139 to +140

@coderabbitai coderabbitai Bot Mar 26, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify artifact attestations are available for updatecli/updatecli

gh attestation verify --help >/dev/null 2>&1 || { echo "gh attestation not available"; exit 0; }

# Check if attestations page exists (referenced in PR description)
curl -sI "https://github.com/updatecli/updatecli/attestations" | head -1

Repository: aquaproj/aqua-registry

Length of output: 77

🏁 Script executed:

# Check if tfcmt registry.yaml exists and examine line 103 area
fd -t f "tfcmt" -p "registry.yaml" | head -5

Repository: aquaproj/aqua-registry

Length of output: 166

🏁 Script executed:

# Verify updatecli registry.yaml content at lines 139-140
fd -t f "updatecli" -p "registry.yaml" -x cat -n {} | sed -n '135,145p'

Repository: aquaproj/aqua-registry

Length of output: 166

🏁 Script executed:

# Find updatecli registry.yaml and check lines 139-140
find . -name registry.yaml | grep updatecli | head -1

Repository: aquaproj/aqua-registry

Length of output: 106

🏁 Script executed:

# Find tfcmt registry.yaml and check around line 103
find . -name registry.yaml | grep tfcmt | head -1

Repository: aquaproj/aqua-registry

Length of output: 109

🏁 Script executed:

# Find suzuki-shunsuke/tfcmt registry.yaml
find . -path "*suzuki-shunsuke*tfcmt*registry.yaml" | head -1

Repository: aquaproj/aqua-registry

Length of output: 108

🏁 Script executed:

# Verify updatecli registry.yaml content at lines 139-140
cat -n ./pkgs/updatecli/updatecli/registry.yaml | sed -n '135,145p'

Repository: aquaproj/aqua-registry

Length of output: 354

🏁 Script executed:

# Verify tfcmt registry.yaml content at lines 100-110 to see the pattern referenced
cat -n ./pkgs/suzuki-shunsuke/tfcmt/registry.yaml | sed -n '100,110p'

Repository: aquaproj/aqua-registry

Length of output: 48

🏁 Script executed:

# Check total lines in tfcmt registry.yaml
wc -l ./pkgs/suzuki-shunsuke/tfcmt/registry.yaml

Repository: aquaproj/aqua-registry

Length of output: 111

🏁 Script executed:

# Search for github_artifact_attestations pattern in tfcmt registry.yaml
grep -n "github_artifact_attestations" ./pkgs/suzuki-shunsuke/tfcmt/registry.yaml

Repository: aquaproj/aqua-registry

Length of output: 106

🏁 Script executed:

# Check the github_artifact_attestations section in tfcmt (lines 88-89)
cat -n ./pkgs/suzuki-shunsuke/tfcmt/registry.yaml | sed -n '88,89p'

Repository: aquaproj/aqua-registry

Length of output: 211

GitHub artifact attestations configuration is correct.

The signer_workflow pattern with backslash-escaped dots (\.) is intentional and correct—aqua treats this field as a regular expression, so escaping the dots ensures precise literal matching rather than "any character" matching.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@pkgs/updatecli/updatecli/registry.yaml` around lines 139 - 140, The
github_artifact_attestations signer_workflow value is intentionally a regex with
escaped dots; leave the github_artifact_attestations -> signer_workflow entry
(the string updatecli/updatecli/\.github/workflows/release\.yaml) unchanged so
the pattern matches literal dots rather than any-character wildcards.

26 changes: 26 additions & 0 deletions registry.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Loading