From a77e27061e6734c6818ebf949cfb4b826e33b48b Mon Sep 17 00:00:00 2001 From: Michael Wegener Date: Thu, 2 Jul 2026 11:43:46 +0200 Subject: [PATCH 1/4] fix(windows): remove Unix-style CFLAGS/LDFLAGS causing LNK4044 config.w32 already emits MSVC-correct /libpath: and /I flags via CHECK_LIB() and CHECK_HEADER_ADD_INCLUDE(). The Unix-style -L flag is rejected by link.exe (LNK4044 warning), and -I is redundantly tolerated by cl.exe. --with-firebird=FIREBIRD_HOME drives all path resolution; these env vars were pure dead weight. --- .github/workflows/release-windows.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml index 4f83e5a4..e9d90771 100644 --- a/.github/workflows/release-windows.yml +++ b/.github/workflows/release-windows.yml @@ -113,8 +113,6 @@ jobs: $sdkPath = "C:\firebird-sdk" echo "FIREBIRD_HOME=$sdkPath" >> $env:GITHUB_ENV echo "$sdkPath\bin" >> $env:GITHUB_PATH - echo "CFLAGS=-I$sdkPath\include" >> $env:GITHUB_ENV - echo "LDFLAGS=-L$sdkPath\lib" >> $env:GITHUB_ENV - name: Build Extension uses: php/php-windows-builder/extension@c49dae50774b14e0f358d2efa65637b67f1104f6 # v1 From cb58f7219bb3d8654a08e07145d86feb623a558c Mon Sep 17 00:00:00 2001 From: Michael Wegener Date: Thu, 2 Jul 2026 11:44:24 +0200 Subject: [PATCH 2/4] fix(release): upload .md5 checksums, remove per-platform CHECKSUMS Add missing .md5 files to softprops upload patterns (were generated and copied to release-assets/ but never uploaded). Remove per-platform CHECKSUMS-SHA256.txt uploads from Linux and macOS workflows. publish-release.yml already generates consolidated CHECKSUMS-SHA256.txt and CHECKSUMS-MD5.txt covering all artifacts (.tar.gz and .zip). This also avoids the softprops #767 same-filename collision when both workflows upload concurrently. --- .github/workflows/release-linux.yml | 2 +- .github/workflows/release-macos.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release-linux.yml b/.github/workflows/release-linux.yml index fd27edae..0fad05fc 100644 --- a/.github/workflows/release-linux.yml +++ b/.github/workflows/release-linux.yml @@ -629,8 +629,8 @@ jobs: files: | release-assets/*.tar.gz release-assets/*.sha256 + release-assets/*.md5 release-assets/*.sbom.cdx.json - release-assets/CHECKSUMS-SHA256.txt fail_on_unmatched_files: false # Create draft release for tag push (immutable releases) draft: true diff --git a/.github/workflows/release-macos.yml b/.github/workflows/release-macos.yml index cecfc873..e10cf2a7 100644 --- a/.github/workflows/release-macos.yml +++ b/.github/workflows/release-macos.yml @@ -490,8 +490,8 @@ jobs: files: | release-assets/*.tar.gz release-assets/*.sha256 + release-assets/*.md5 release-assets/*.sbom.cdx.json - release-assets/CHECKSUMS-SHA256.txt fail_on_unmatched_files: false draft: true env: From 9605cf97ed786889daa64575046c8fef41026dbb Mon Sep 17 00:00:00 2001 From: Michael Wegener Date: Thu, 2 Jul 2026 11:44:57 +0200 Subject: [PATCH 3/4] fix(ci): bump actions/download-artifact v6 to v7 for Node 24 v6.0.0 still defaulted to Node.js 20 runtime despite preliminary Node 24 support. v7.0.0 runs on Node.js 24 by default, resolving the Node.js 20 deprecation warning. No breaking changes (unlike v8.0.0 which has ESM migration and hash-mismatch-error defaults). Affects 5 occurrences across 3 release workflows. --- .github/workflows/release-linux.yml | 4 ++-- .github/workflows/release-macos.yml | 4 ++-- .github/workflows/release-windows.yml | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/release-linux.yml b/.github/workflows/release-linux.yml index 0fad05fc..b8be1453 100644 --- a/.github/workflows/release-linux.yml +++ b/.github/workflows/release-linux.yml @@ -577,7 +577,7 @@ jobs: steps: - name: Download All Artifacts - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: path: artifacts @@ -670,7 +670,7 @@ jobs: steps: - name: Download PHP ${{ matrix.php }} NTS Bundle - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: pattern: "${{ matrix.bundle_pattern }}" path: bundle diff --git a/.github/workflows/release-macos.yml b/.github/workflows/release-macos.yml index e10cf2a7..85aef30f 100644 --- a/.github/workflows/release-macos.yml +++ b/.github/workflows/release-macos.yml @@ -440,7 +440,7 @@ jobs: steps: - name: Download All Artifacts - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: path: artifacts @@ -522,7 +522,7 @@ jobs: echo "PHP version: $(php -v | head -1)" - name: Download Bundle - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: pattern: "*macos*${{ matrix.arch }}*" path: bundle diff --git a/.github/workflows/release-windows.yml b/.github/workflows/release-windows.yml index e9d90771..9dc2138a 100644 --- a/.github/workflows/release-windows.yml +++ b/.github/workflows/release-windows.yml @@ -148,7 +148,7 @@ jobs: fi - name: Download All Build Artifacts - uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6 + uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 with: path: artifacts From e967e608d3207e7c97133d058c003215efdbed32 Mon Sep 17 00:00:00 2001 From: Michael Wegener Date: Thu, 2 Jul 2026 11:45:42 +0200 Subject: [PATCH 4/4] feat(ci): add SLSA attestation verification step Verifies all release artifacts (.tar.gz, .zip) have valid SLSA provenance attestations before publishing the release. Uses gh attestation verify with --signer-workflow for stronger provenance (validates certificate SAN against our workflow path). Fails fast if any artifact lacks a valid attestation, keeping the release in draft state. Satisfies spec-v10.4-supply-chain.md acceptance criteria (line 24, 94). --- .github/workflows/publish-release.yml | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/.github/workflows/publish-release.yml b/.github/workflows/publish-release.yml index ff79be98..637d7b9f 100644 --- a/.github/workflows/publish-release.yml +++ b/.github/workflows/publish-release.yml @@ -148,6 +148,27 @@ jobs: release-assets/*.tar.gz release-assets/*.zip + - name: Verify SLSA attestations + run: | + set -e + fail=0 + for f in release-assets/*.tar.gz release-assets/*.zip; do + [ -f "$f" ] || continue + echo "Verifying attestation for: $f" + if gh attestation verify "$f" \ + --repo "${{ github.repository }}" \ + --signer-workflow "${{ github.repository }}/.github/workflows/publish-release.yml"; then + echo " OK" + else + echo " FAILED" + fail=1 + fi + done + [ "$fail" -ne 0 ] && exit 1 + echo "All release artifacts have verified SLSA provenance attestations" + env: + GH_TOKEN: ${{ github.token }} + - name: Generate checksums index run: | cd release-assets