Skip to content

Fix release pipeline warnings and add SLSA verification#293

Merged
satwareAG-ironMike merged 4 commits into
satware-mainfrom
fix/release-pipeline-warnings
Jul 2, 2026
Merged

Fix release pipeline warnings and add SLSA verification#293
satwareAG-ironMike merged 4 commits into
satware-mainfrom
fix/release-pipeline-warnings

Conversation

@satwareAG-ironMike

Copy link
Copy Markdown

Summary

Fixes 4 issues found during the v11.0.2-rc.1 E2E release test.

Changes

1. Remove Unix-style CFLAGS/LDFLAGS from Windows build (LNK4044)

release-windows.yml: Removed CFLAGS=-I... and LDFLAGS=-L... env vars.
PHP's config.w32 already emits MSVC-correct /libpath: and /I flags
via CHECK_LIB() and CHECK_HEADER_ADD_INCLUDE(). The Unix -L flag
was rejected by link.exe (LNK4044 warning).

2. Upload missing .md5 checksums, remove per-platform CHECKSUMS

release-linux.yml + release-macos.yml: Added *.md5 to softprops upload
patterns (were generated but never uploaded). Removed per-platform
CHECKSUMS-SHA256.txt uploads — publish-release.yml already generates
consolidated checksums covering all artifacts. Also avoids softprops #767
same-filename collision.

3. Bump actions/download-artifact v6 to v7 (Node.js 24)

v6.0.0 still defaulted to Node.js 20 despite preliminary Node 24 support.
v7.0.0 runs on Node.js 24 by default. No breaking changes (unlike v8.0.0
which has ESM + hash-mismatch-error defaults). 5 occurrences across 3 files.

4. Add SLSA attestation verification step

publish-release.yml: Added gh attestation verify step between attestation
generation and release publishing. Uses --signer-workflow for stronger
provenance. Fails fast if any artifact lacks valid attestation, keeping
release in draft state. Satisfies spec-v10.4-supply-chain.md acceptance
criteria.

Testing

  • CI green (ci, code-quality, sanitizers, coverage workflows)
  • E2E release test with v11.0.2-rc.2 tag
  • Verify: no LNK4044, .md5 files present, no Node 20 warning, SLSA verify passes

config.w32 already emits MSVC-correct /libpath: and /I flags via
CHECK_LIB() and CHECK_HEADER_ADD_INCLUDE(). The Unix-style -L flag
is rejected by link.exe (LNK4044 warning), and -I is redundantly
tolerated by cl.exe. --with-firebird=FIREBIRD_HOME drives all
path resolution; these env vars were pure dead weight.
Add missing .md5 files to softprops upload patterns (were generated
and copied to release-assets/ but never uploaded).

Remove per-platform CHECKSUMS-SHA256.txt uploads from Linux and
macOS workflows. publish-release.yml already generates consolidated
CHECKSUMS-SHA256.txt and CHECKSUMS-MD5.txt covering all artifacts
(.tar.gz and .zip). This also avoids the softprops #767 same-filename
collision when both workflows upload concurrently.
v6.0.0 still defaulted to Node.js 20 runtime despite preliminary
Node 24 support. v7.0.0 runs on Node.js 24 by default, resolving
the Node.js 20 deprecation warning. No breaking changes (unlike
v8.0.0 which has ESM migration and hash-mismatch-error defaults).

Affects 5 occurrences across 3 release workflows.
Verifies all release artifacts (.tar.gz, .zip) have valid SLSA
provenance attestations before publishing the release. Uses
gh attestation verify with --signer-workflow for stronger
provenance (validates certificate SAN against our workflow path).

Fails fast if any artifact lacks a valid attestation, keeping
the release in draft state. Satisfies spec-v10.4-supply-chain.md
acceptance criteria (line 24, 94).
@satwareAG-ironMike satwareAG-ironMike merged commit 36a691c into satware-main Jul 2, 2026
32 checks passed
@satwareAG-ironMike satwareAG-ironMike deleted the fix/release-pipeline-warnings branch July 2, 2026 09:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant