Record attest provenance on merged commits#46
Open
0xLeif wants to merge 2 commits into
Open
Conversation
augur enforces its own risk gate in CI but never recorded provenance, so its /trust/ attest pip was dark. This closes the loop: a dedicated main-only job records an attestation after the build/test jobs pass and pushes refs/notes/attest, so augur builds a trust ledger. attest ships a public Linux binary, checksum-verified, so no token is needed. Additive and best-effort: a hiccup logs a warning and never fails CI. runs-on GitHub-hosted ubuntu, so the self-hosted guard stays green. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01ApSS1xj22zGwbUSkRs3mmE
|
Warning You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again! |
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
augur: ✅ PROCEED - risk 29/100Confidence 71/100 - calibration prior-only (0 incidents / 1 commit).
|
An attestation records 'proceed', so it must not sign off on a commit where the action smoke test, the Linux package, or the self-hosted guard failed. Depend on all gate jobs. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01ApSS1xj22zGwbUSkRs3mmE
|
Bugbot is not enabled for your account, so this pull request was not reviewed. Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
From the trust-tooling audit: augur enforces its own risk gate but never recorded provenance, so its /trust/ attest pip was dark. Adds a dedicated main-only
attestjob (after build-test-macos + build-test-linux) that records a provenance attestation and pushesrefs/notes/attest. Public Linux binary, checksum-verified, no token; additive and best-effort.runs-on: ubuntu-latest, so the self-hosted guard stays green.🤖 Generated with Claude Code
https://claude.ai/code/session_01ApSS1xj22zGwbUSkRs3mmE