8000 init release verify subcommands by ejahnGithub · Pull Request #11018 · cli/cli · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

init release verify subcommands #11018

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 37 commits into from
Jun 20, 2025
Merged

init release verify subcommands #11018

merged 37 commits into from
Jun 20, 2025

Conversation

ejahnGithub
Copy link
Contributor
@ejahnGithub ejahnGithub commented May 23, 2025
edited
Loading

This PR adds two beta gh release subcommands—verify and verify-asset—to support release attestations. Both commands are still in the testing phase and not yet exposed in the public CLI.

Here’s a clean summary of the expected output for the new gh release verify and gh release verify-asset subcommands:

Expected output:

gh release verify with tag

❯ ./bin/gh release verify v5 --repo bdehamer/delme

Resolved v5 to sha1:c5e17a62e06a1d201570249c61fae531e9244e1b
Loaded 1 attestation from GitHub API
The following 1 attestation matched the policy criteria

✓ Verification succeeded!

Attestation found matching release v5 (c5e17a62e06a1d201570249c61fae531e9244e1b)
  a.zip          sha256:f7165848f9f5ddc578d7adbd1f566a394169385c73bd88bf60df7e759db8e08d
  b.zip          sha256:8b7eb1572346692ffd3ae01248c70a341ae3aa8be1df8b12346b50acb9002282

gh release verify without tag

❯ ./bin/gh release verify --repo bdehamer/delme

Resolved v5 to sha1:c5e17a62e06a1d201570249c61fae531e9244e1b
Loaded 1 attestation from GitHub API
The following 1 attestation matched the policy criteria

✓ Verification succeeded!

Attestation found matching release v5 (c5e17a62e06a1d201570249c61fae531e9244e1b)
  a.zip          sha256:f7165848f9f5ddc578d7adbd1f566a394169385c73bd88bf60df7e759db8e08d
  b.zip          sha256:8b7eb1572346692ffd3ae01248c70a341ae3aa8be1df8b12346b50acb9002282

gh release verify-asset with tag

❯ ./bin/gh release verify-asset v5 ./pkg/cmd/attestation/test/data/github_release_artifact.zip --repo bdehamer/delme

Loaded digest sha256:f7165848f9f5ddc578d7adbd1f566a394169385c73bd88bf60df7e759db8e08d for github_release_artifact.zip
Resolved v5 to sha1:c5e17a62e06a1d201570249c61fae531e9244e1b
Loaded 1 attestation from GitHub API
The following 1 attestation matched the policy criteria

✓ Verification succeeded!
Attestation found matching release v5 (sha1:c5e17a62e06a1d201570249c61fae531e9244e1b)
github_release_artifact.zip is present in release v5

gh release verify-asset without tag

❯ ./bin/gh release verify-asset ./pkg/cmd/attestation/test/data/github_release_artifact.zip --repo bdehamer/delme

Loaded digest sha256:f7165848f9f5ddc578d7adbd1f566a394169385c73bd88bf60df7e759db8e08d for github_release_artifact.zip
Resolved v5 to sha1:c5e17a62e06a1d201570249c61fae531e9244e1b
Loaded 1 attestation from GitHub API
The following 1 attestation matched the policy criteria

✓ Verification succeeded!
Attestation found matching release v5 (sha1:c5e17a62e06a1d201570249c61fae531e9244e1b)
github_release_artifact.zip is present in release v5

ejahnGithub added 11 commits May 15, 2025 17:21
@ejahnGithub
init
3a6e42f
@ejahnGithub
wip
510ce73
@ejahnGithub
remove comment
74c6a36
@ejahnGithub
wip
26b46f9
@ejahnGithub
update the lng
3e54568
@ejahnGithub
clean up the code
0a6ce2b
@ejahnGithub
minor fix
7a7c7d6
< 8000 a class="avatar avatar-user" style="width:20px;height:20px;" data-test-selector="commits-avatar-stack-avatar-link" data-hovercard-type="user" data-hovercard-url="/users/ejahnGithub/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/ejahnGithub"> @ejahnGithub
change verify-asset logic
e9fbe9d
@ejahnGithub
add json format
ca0f984
@ejahnGithub
added the unit test
3108d99
@ejahnGithub
removed unused file
81f1017
ejahnGithub
ejahnGithub commented May 30, 2025
View reviewed changes
ejahnGithub
ejahnGithub commented May 30, 2025
View reviewed changes
@ejahnGithub ejahnGithub marked this pull request as ready for review May 30, 2025 17:01
@ejahnGithub ejahnGithub requested review from a team as code owners May 30, 2025 17:01
@ejahnGithub ejahnGithub requested a review from andyfeller May 30, 2025 17:01
@cliAutomation cliAutomation added the external pull request originating outside of the CLI core team label May 30, 2025
@cliAutomation
Copy link
Collaborator

Hi! Thanks for the pull request. Please ensure that this change is linked to an issue by mentioning an issue number in the description of the pull request. If this pull request would close the issue, please put the word 'Fixes' before the issue number somewhere in the pull request body. If this is a tiny change like fixing a typo, feel free to ignore this message.

andyfeller
andyfeller reviewed May 30, 2025
View reviewed changes
Copy link
Member
@andyfeller andyfeller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ejahnGithub : I will need to devote more time to really grok everything going on here, but I wanted to provide some initial feedback that I think is important to discuss further from a maintenance perspective.

@ejahnGithub ejahnGithub marked this pull request as ready for review May 30, 2025 21:10
@cliAutomation
Copy link
Collaborator

Hi! Thanks for the pull request. Please ensure that this change is linked to an issue by mentioning an issue number in the description of the pull request. If this pull request would close the issue, please put the word 'Fixes' before the issue number somewhere in the pull request body. If this is a tiny change like fixing a typo, feel free to ignore this message.

malancas
malancas reviewed Jun 2, 2025
View reviewed changes
pkg/cmd/release/shared/fetch.go
@@ -133,6 +133,41 @@ type fetchResult struct {
error error
}

func FetchRefSHA(ctx context.Context, httpClient *http.Client, repo ghrepo.Interface, tagName string) (string, error) {
path := fmt.Sprintf("repos/%s/%s/git/refs/tags/%s", repo.RepoOwner(), repo.RepoName(), tagName)
req, err := http.NewRequestWithContext(ctx, "GET", ghinstance.RESTPrefix(repo.RepoHost())+path, nil)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think there are some built in functions in the gh-go library for making HTTP requests we can leverage.

@bdehamer bdehamer force-pushed the eugene/release-verify branch from 3adea16 to 365fadb Compare June 5, 2025 17:12
@bdehamer
refactor to simplify implementation
53cae59 
Signed-off-by: Brian DeHamer <bdehamer@github.com>
@bdehamer bdehamer force-pushed the eugene/release-verify branch from 365fadb to 53cae59 Compare June 5, 2025 17:35
@bdehamer
Copy link
Contributor
bdehamer commented Jun 5, 2025

@andyfeller / @malancas

With @ejahnGithub out for a couple of weeks I'm taking over responsibility for this PR. I've gone through and done a bit of refactoring and attempted to address your feedback in the process. Would appreciate you each taking another look.

@bdehamer bdehamer requested review from andyfeller and malancas June 5, 2025 17:51
andyfeller
andyfeller requested changes Jun 17, 2025
View reviewed changes
Copy link
Member
@andyfeller andyfeller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Overall this is looking a lot easier to understand, thanks!

I added a few suggestions and questions given my unfamiliarity with the release asset verification capability.

@ejahnGithub ejahnGithub requested a review from andyfeller June 19, 2025 15:27
andyfeller
andyfeller approved these changes Jun 20, 2025
View reviewed changes
Copy link
Member
@andyfeller andyfeller left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@andyfeller andyfeller merged commit d4efe0b into cli:trunk Jun 20, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bdehamer bdehamer bdehamer left review comments

@andyfeller andyfeller andyfeller approved these changes

@malancas malancas malancas approved these changes

Assignees
No one assigned
Labels
external pull request originating outside of the CLI core team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ejahnGithub @cliAutomation @bdehamer @andyfeller @malancas
0