Skip to content

Record attest provenance on merged commits#46

Open
0xLeif wants to merge 2 commits into
mainfrom
feat/attest-provenance
Open

Record attest provenance on merged commits#46
0xLeif wants to merge 2 commits into
mainfrom
feat/attest-provenance

Conversation

@0xLeif

@0xLeif 0xLeif commented Jul 4, 2026

Copy link
Copy Markdown
Contributor

From the trust-tooling audit: augur enforces its own risk gate but never recorded provenance, so its /trust/ attest pip was dark. Adds a dedicated main-only attest job (after build-test-macos + build-test-linux) that records a provenance attestation and pushes refs/notes/attest. Public Linux binary, checksum-verified, no token; additive and best-effort. runs-on: ubuntu-latest, so the self-hosted guard stays green.

🤖 Generated with Claude Code
https://claude.ai/code/session_01ApSS1xj22zGwbUSkRs3mmE

augur enforces its own risk gate in CI but never recorded provenance, so its
/trust/ attest pip was dark. This closes the loop: a dedicated main-only job
records an attestation after the build/test jobs pass and pushes
refs/notes/attest, so augur builds a trust ledger. attest ships a public Linux
binary, checksum-verified, so no token is needed. Additive and best-effort: a
hiccup logs a warning and never fails CI. runs-on GitHub-hosted ubuntu, so the
self-hosted guard stays green.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01ApSS1xj22zGwbUSkRs3mmE
@gemini-code-assist

Copy link
Copy Markdown

Warning

You have reached your daily quota limit. Please wait up to 24 hours and I will start processing your requests again!

@cursor

cursor Bot commented Jul 4, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@github-actions

github-actions Bot commented Jul 4, 2026

Copy link
Copy Markdown

augur: ✅ PROCEED - risk 29/100

Confidence 71/100 - calibration prior-only (0 incidents / 1 commit).

File Risk Verdict Top signal
.github/workflows/ci.yml 29 ✅ proceed sensitivity: matches sensitive category 'ci'

An attestation records 'proceed', so it must not sign off on a commit where the
action smoke test, the Linux package, or the self-hosted guard failed. Depend on
all gate jobs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01ApSS1xj22zGwbUSkRs3mmE
@cursor

cursor Bot commented Jul 6, 2026

Copy link
Copy Markdown

Bugbot is not enabled for your account, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant