Skip to content

UID2-7041: promote OCI tag only after attest+verify pass#231

Open
BehnamMozafari wants to merge 5 commits into
mainfrom
bmz-UID2-7041-retag-promotion
Open

UID2-7041: promote OCI tag only after attest+verify pass#231
BehnamMozafari wants to merge 5 commits into
mainfrom
bmz-UID2-7041-retag-promotion

Conversation

@BehnamMozafari
Copy link
Copy Markdown
Contributor

@BehnamMozafari BehnamMozafari commented May 13, 2026
edited
Loading

Summary

  • Push image by digest only (no consumable tag) in both docker publish flows; after actions/attest_image@v3 (SLSA attest + gh attestation verify) succeeds, run docker buildx imagetools create to promote the digest to the consumable tag (1.2.3, latest). Closes the gap from PR UID2-6764: Add SLSA build provenance attestations to docker publish workflows #228 (UID2-6764) where the consumable tag escaped the policy gate if attest/verify failed.
  • Applied identically to the composite (actions/shared_publish_to_docker/action.yaml) and the inline Java workflow (.github/workflows/shared-publish-java-to-docker-versioned.yaml).
  • Fail-fast on the new promote step (no retry) — matches the existing push step's policy. On a promote failure the verified digest persists in the registry; the previous tag still resolves; the next release re-runs the full flow.

How the three paths route

Path Attest step Promote step (default if: success()) Tag created?
Release (not_snapshot=true, attestation_enabled=true) runs runs (after pass)
Release + attest/verify fails runs and fails skipped ❌ (stays at previous good)
Snapshot (not_snapshot=false) skipped runs
Opt-out (attestation_enabled=false) skipped runs

Skipped steps count as success for downstream if: success(), so the same promote step services all three "should-tag" paths without no explicit condition.

Smoke evidence

Throwaway smoke harness (deleted in this PR's history) exercised both paths inline against this branch's code (local action refs, not @v3):

  • Green path — run 25783580596: push-by-digest → pre-promote tag absence asserted → attest+verify → promote → gh attestation verify against the consumable tag passes.
  • Forced-failure path — run 25783628840: push-by-digest → attest+verify → injected failure → promote step skipped → no consumable tag created. Proves the if: success() gate holds.

Out of scope / follow-up

  • @v3 promotion: after merge, move @v3 forward via update-major-version-tags.

Test plan

  • Smoke green path
  • Smoke forced-failure path
  • After merge: update-major-version-tags moves @v3 to this SHA
  • Spot-check 2-3 consumer releases use the new flow without caller-side changes

🤖 Generated with Claude Code

BehnamMozafari and others added 2 commits May 13, 2026 16:53
@BehnamMozafari @claude
UID2-7041: push by digest, promote tag only after attest
94526ed 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@BehnamMozafari @claude
UID2-7041: promote tag after attest in Java publish workflow
125ddbd 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@BehnamMozafari BehnamMozafari force-pushed the bmz-UID2-7041-retag-promotion branch from e10b549 to 125ddbd Compare May 13, 2026 06:54
BehnamMozafari and others added 3 commits May 13, 2026 16:56
@BehnamMozafari @claude
UID2-7041: TEMP smoke harness for tag-after-verify (delete after capt…
47843b8 
…ure)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@BehnamMozafari
UID2-7041: smoke trigger on push for first run
09c250c
@BehnamMozafari @claude
UID2-7041: drop smoke harness; runs 25783580596 (green) + 25783628840…
b05c09b 
… (forced fail) captured

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jon8787 jon8787 jon8787 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@BehnamMozafari @jon8787