CI/CD consolidation on bor#2249
Conversation
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Claude Code Review
This repository is configured for manual code reviews. Comment @claude review to trigger a review and subscribe this PR to future pushes, or @claude review once for a one-time review.
Tip: disable this comment in your organization's Code Review settings.
|
@claude review |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #2249 +/- ##
===========================================
+ Coverage 52.28% 52.87% +0.59%
===========================================
Files 885 886 +1
Lines 155777 156888 +1111
===========================================
+ Hits 81444 82957 +1513
+ Misses 69092 68672 -420
- Partials 5241 5259 +18 see 83 files with indirect coverage changes 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Prior comment addressed via lowercased IMAGE_NAME; remaining changes are mechanical workflow consolidation (cosign signing, GCP mirroring, runner alignment).
Extended reasoning...
Overview
This PR consolidates release-side GitHub Actions workflows: adds cosign sign-blob steps to three .deb packaging workflows, adds GCP bucket mirroring via OIDC to packager_deb.yml and release_ghcr.yml, and switches the kurtosis e2e jobs to the same self-hosted runner already in use by release_ghcr.yml. No application code changes.
Security risks
The new work is largely supply-chain hardening (cosign-signed artifacts attached to releases). GCP authentication uses short-lived OIDC tokens via workload identity federation rather than long-lived keys, which is the right pattern. Third-party actions are pinned by commit SHA. Bucket destinations and GCP identity are sourced from repo secrets — assuming those secrets are configured correctly, the blast radius is limited to mirroring artifacts that are already published to GitHub Releases / GHCR.
Level of scrutiny
Medium. These are release-infrastructure workflows, so failures would be visible at release time but cannot corrupt the artifacts themselves (which are still produced and shasummed before signing). The prior uppercase-IMAGE_NAME bug I flagged would have broken the new tar.gz export entirely on every tag run, and it has been fixed in commit 2d1979b by lowercasing IMAGE_NAME directly. The cosign signing steps use shopt -s nullglob plus an explicit empty-array guard, which is defensive.
Other factors
- The bug-hunting system found no further bugs in the updated diff.
- My only prior concern has been resolved.
- SonarCloud quality gate passed, codecov shows no regression on this PR.
- No CODEOWNER-protected application code is touched.
There was a problem hiding this comment.
My previous bug report about uppercase IMAGE_NAME in release_ghcr.yml was addressed; the rest is straightforward CI/CD hygiene (cosign signing, GCP mirroring, runner alignment) with pinned action SHAs.
Extended reasoning...
Overview
This PR touches six GitHub Actions workflows: it adds cosign blob-signing of .deb artifacts in amoy_deb_profiles.yml, mainnet_deb_profiles.yml, and packager_deb.yml; mirrors release artifacts (debs and a multi-arch image tar.gz) to GCP buckets via OIDC in packager_deb.yml and release_ghcr.yml; and switches the e2e-tests job in kurtosis-e2e.yml and kurtosis-stateless-e2e.yml to the same large self-hosted runner already used by release_ghcr.yml. No production code or non-workflow files are modified.
Security risks
The supply-chain posture improves here, not regresses: .deb artifacts now get keyless cosign signatures attached to GitHub Releases, and the GCP uploads use short-lived OIDC tokens with workload identity federation rather than long-lived service-account keys. Third-party actions are pinned by commit SHA (sigstore/cosign-installer@d7d6bc7, google-github-actions/auth@71f9864, google-github-actions/setup-gcloud@e427ad8). The new GCP destinations and identities are read from repo secrets, so the blast radius of a misconfiguration is bounded.
Level of scrutiny
Medium — these are release-path workflows, so bugs here can silently break a release (no immediate user impact, but supply-chain breakage). That's why I flagged the uppercase IMAGE_NAME issue on the first pass: the four new docker pull/docker tag shell-level interpolations would have failed on every release tag. That has been fixed by lowercasing the env var directly, which also matches what docker/metadata-action was already producing. The remaining changes are mechanical: cosign installer + sign-blob loop, an OIDC auth step, and a gcloud storage cp loop.
Other factors
The bug hunting system found no new bugs after the fix. SonarQube quality gate passed. The cosign loops handle the empty-artifact case explicitly (exit 1 on no matches), and the file globs feeding both the GitHub Release and the GCP upload are consistent with the existing patterns in each workflow. My prior concern was the only blocker and it's resolved.
There was a problem hiding this comment.
Previously flagged uppercase IMAGE_NAME issue has been fixed by lowercasing the env var; remaining changes are mechanical CI/CD additions (cosign signing, GCS mirroring, runner alignment).
Extended reasoning...
Overview
This PR consolidates release-side GitHub Actions workflows. Across six workflow files it (a) adds keyless cosign sign-blob signing of .deb artifacts in amoy_deb_profiles.yml, mainnet_deb_profiles.yml, and packager_deb.yml; (b) adds GCP OIDC auth + gcloud storage cp mirroring of debs and Docker image tarballs in packager_deb.yml and release_ghcr.yml; (c) switches the kurtosis e2e jobs to the same self-hosted runner already used by GHCR; and (d) lowercases IMAGE_NAME from 0xPolygon/bor to 0xpolygon/bor in release_ghcr.yml.
Security risks
The added third-party actions (sigstore/cosign-installer, google-github-actions/auth, google-github-actions/setup-gcloud) are all pinned by full commit SHA, which is the right hygiene. Authentication to GCP uses short-lived OIDC tokens with workload identity federation — no long-lived credentials live in repo secrets. Cosign signing is keyless using the GitHub OIDC provider. All artifact globs in signing/upload steps are scoped to packaging/deb/bor-*.deb or bor-${{ github.ref_name }}-*.tar.gz, so there is no risk of accidentally signing/uploading unrelated files.
Level of scrutiny
Low. These are CI/CD workflow files only — no production code, no runtime behavior change to the binaries or images that get shipped. The cosign additions are supply-chain-positive (additive metadata next to existing .deb + .deb.checksum), the GCS mirroring is additive (the existing GitHub Release upload is unchanged), and the runner alignment is a performance tweak. The only previously load-bearing concern was the uppercase IMAGE_NAME interaction with docker pull in the new export steps, and that has been resolved.
Other factors
My prior inline comment on release_ghcr.yml line 74 — that docker pull ghcr.io/0xPolygon/bor:... would fail OCI reference parsing — has been addressed by lowercasing IMAGE_NAME at the env var level, which is the cleanest fix and also keeps the existing build-and-push step working (metadata-action was already normalizing it). SonarQube quality gate passed and Codecov shows full coverage on modified lines (trivially true since these are YAML).
|
3 participants
Summary
Tidies up the release-side GitHub Actions workflows so they are consistent with each other and with the runners/tooling already in use elsewhere in the repo. No code changes, no behavioural changes to the release artifacts
themselves — same
.debs, same docker images, same tags.Changes
amoy_deb_profiles.yml,mainnet_deb_profiles.yml, andpackager_deb.ymlnow runcosign sign-blobagainst the produced.debfiles using GitHub's OIDC identity. The.sigand.pemfiles are attached to the GitHub Release next to the existing.deband.deb.checksum. Standard supply-chain hygiene, costs ~10s per build.packager_deb.ymlandrelease_ghcr.ymlnow mirror their build outputs (debs and atar.gzof the multi-arch image) to an external artifact store via short-lived OIDC tokens. Destination andidentity are read from repo secrets.
Pinned actions
New third-party actions are pinned by commit SHA:
sigstore/cosign-installer@d7d6bc7722e3daa8354c50bcb52f4837da5e9b6a(v3.7.0)google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935(v2.1.5)