mirror of
https://github.com/coder/coder.git
synced 2026-06-02 20:48:20 +00:00
Atif Ali
bc5e4b5d54
## Problem GitHub SLSA provenance attestations have been silently failing on **every release** since they were introduced. Confirmed across all 10+ release runs checked (v2.29.2 through v2.31.6). The `actions/attest` action requires `subject-digest` (a `sha256:...` hash) to identify the artifact being attested, but the workflow only provided `subject-name` (the image tag like `ghcr.io/coder/coder:v2.31.6`). This caused every attestation step to error with: ``` Error: One of subject-path, subject-digest, or subject-checksums must be provided ``` The failures were masked by `continue-on-error: true` and only surfaced as `##[warning]` annotations that nobody noticed. Enterprise customers doing `gh attestation verify` would find no provenance records for any of our Docker images. > [!NOTE] > The cosign SBOM attestation (separate step) has been working correctly the entire time — it uses a different mechanism (`cosign attest --type spdxjson`) that does not require the same inputs. This fix is specifically for the GitHub-native SLSA provenance attestations. ## Fix **Add `subject-digest` to all `actions/attest` steps** (release.yaml + ci.yaml): - Base image: capture digest from `depot/build-push-action` output - Main image: resolve digest via `docker buildx imagetools inspect --raw` after push - Latest image: same approach - Use `subject-name` without tag per the [actions/attest docs](https://github.com/actions/attest#container-image) **Update `anchore/sbom-action`** from v0.18.0 to v0.24.0 (node24 support, ahead of the [June 2 deadline](https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/)). All changes remain non-blocking for the release process (`continue-on-error: true` preserved). > 🤖 This PR was created with the help of Coder Agents, and is reviewed by a human.