Harden release workflow cache and checkout use#74
Merged
Conversation
kans
approved these changes
May 13, 2026
gontzess
added a commit
that referenced
this pull request
May 13, 2026
**Why**
The release workflow accepts a tag input and then builds, signs,
uploads, and records release metadata. The caller checkout should be
tied directly to that tag so a release run cannot publish artifacts from
one commit while labeling or recording them as another tag.
**What this changes**
- Checks out caller code from `refs/tags/${{ inputs.tag }}` in the
binaries, Windows, Docker, and registry metadata jobs.
- Verifies each checked-out caller repository HEAD matches the tag
target before continuing.
- Records the verified connector checkout commit SHA in the registry
metadata instead of using `github.sha`.
- Documents the release source identity invariant in the release
workflow docs.
This PR is stacked on #74 and should merge after it.
**Validation**
- Parsed `.github/workflows/release.yaml` with `yq`.
- Ran `git diff --check`.
- Verified all caller/connector release checkouts use `refs/tags/${{
inputs.tag }}`.
- Ran `orch-cross-review` focused on annotated/lightweight tags,
cross-runner behavior, registry commit recording, and regressions; no
blockers were reported.
- Ran a private connector release canary against this branch; the
release completed successfully, including macOS, Windows, Docker,
manifest publication, artifact verification, and registry recording
jobs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The shared release workflow signs and publishes release artifacts, uploads to S3/ECR, and records registry metadata while holding OIDC permissions and release secrets.
actions/setup-gorestores GitHub Actions caches by default, so these privileged jobs should not restore dependency or build state written by other workflow runs. The workflow should also avoid inherited token permissions and avoid persisting checkout credentials into working trees unless a job needs them.What this changes
cache: falseto everyactions/setup-go@v6step in the release workflow.permissions: {}while keeping explicit per-job grants for the jobs that need them.persist-credentials: falseto every release workflow checkout.dockerfile_template,docker_extra_files, andmsi_wxs_pathbefore those inputs are used in generated release config paths.No
setup-nodecache or explicitactions/cacheuse was found in the release workflow.Validation
.github/workflows/release.yamlwithyq.git diff --check.setup-go@v6step now hascache: false.actions/checkout@v5step now haspersist-credentials: false.orch-cross-reviewfocused on correctness, regressions, and security hardening; no blockers were reported.