chore(ci): remove attestation details from workflow summaries

morrison-sap · morrison-sap · commit 23a1b833de6e · 2026-02-11T21:51:05.000+01:00
On-behalf-of: Gerald Morrison (SAP) &lt;gerald.morrison@sap.com&gt;
Signed-off-by: Gerald Morrison (SAP) &lt;gerald.morrison@sap.com&gt;
diff --git a/.github/workflows/cli-release.yml b/.github/workflows/cli-release.yml
@@ -143,19 +143,6 @@ jobs:
           repository: ${{ github.repository }}
           name: ${{ needs.build.outputs.artifact_name }}
 
-      - name: Append attestation references to RC notes
-        run: |
-          {
-            echo ""
-            echo "## Build Metadata"
-            if [ -n "${{ needs.build.outputs.binary_attestation_url }}" ]; then
-              echo "- Attestation created (binaries): ${{ needs.build.outputs.binary_attestation_url }}"
-            fi
-            if [ -n "${{ needs.build.outputs.oci_attestation_url }}" ]; then
-              echo "- Attestation created (oci): ${{ needs.build.outputs.oci_attestation_url }}"
-            fi
-          } >> "${{ runner.temp }}/CHANGELOG.md"
-
       - name: Create RC Release
         uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
         with:
@@ -197,49 +184,6 @@ jobs:
               return;
             }
 
-  # ----------------------------------------------------------------
-  # 5b. Resolve RC metadata used for final summaries
-  # ----------------------------------------------------------------
-  resolve_rc_metadata:
-    name: Resolve RC Metadata for Final Summaries
-    if: ${{ github.event.inputs.release_candidate == 'false' }}
-    needs: [prepare, validate_final]
-    runs-on: ubuntu-latest
-    outputs:
-      rc_binary_attestation_url: ${{ steps.resolve.outputs.rc_binary_attestation_url }}
-      rc_oci_attestation_url: ${{ steps.resolve.outputs.rc_oci_attestation_url }}
-    steps:
-      - name: Resolve attestation links from RC release body
-        id: resolve
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
-        env:
-          RC_TAG: ${{ needs.prepare.outputs.latest_rc_tag }}
-        with:
-          github-token: ${{ secrets.GITHUB_TOKEN }}
-          script: |
-            const tag = process.env.RC_TAG;
-            if (!tag) {
-              core.setFailed('Missing RC_TAG');
-              return;
-            }
-
-            const release = await github.rest.repos.getReleaseByTag({
-              owner: context.repo.owner,
-              repo: context.repo.repo,
-              tag,
-            });
-
-            const body = release.data.body || '';
-            const binary = body.match(/Attestation created \(binaries\):\s*(https:\/\/github\.com\/[^\s]+)/i);
-            const oci = body.match(/Attestation created \(oci\):\s*(https:\/\/github\.com\/[^\s]+)/i);
-
-            core.setOutput('rc_binary_attestation_url', binary ? binary[1] : '');
-            core.setOutput('rc_oci_attestation_url', oci ? oci[1] : '');
-
-            if (!binary && !oci) {
-              core.warning(`No dedicated attestation links found in RC release body for tag ${tag}`);
-            }
-
   # --------------------------------------------------------
   # 6. Tag Final: Create and push final tag from RC commit
   # --------------------------------------------------------
@@ -320,7 +264,7 @@ jobs:
   promote_image:
     name: Promote OCI Image to Final and Latest
     if: ${{ github.event.inputs.release_candidate == 'false' && github.event.inputs.dry_run == 'false' }}
-    needs: [prepare, validate_final, resolve_rc_metadata, tag_final]
+    needs: [prepare, validate_final, tag_final]
     runs-on: ubuntu-latest
     permissions:
       packages: write
@@ -342,14 +286,12 @@ jobs:
           RC_VERSION: ${{ needs.prepare.outputs.latest_rc_version }}
           FINAL_VERSION: ${{ needs.prepare.outputs.latest_promotion_version }}
           TARGET_REPO: ${{ env.REGISTRY }}/${{ github.repository_owner }}/cli
-          RC_OCI_ATTESTATION_URL: ${{ needs.resolve_rc_metadata.outputs.rc_oci_attestation_url }}
         with:
           script: |
             const { execSync } = require('child_process');
             const rcVersion = process.env.RC_VERSION;
             const finalVersion = process.env.FINAL_VERSION;
             const targetRepo = process.env.TARGET_REPO;
-            const rcOciAttestationUrl = process.env.RC_OCI_ATTESTATION_URL;
             if (!rcVersion) {
               core.setFailed('Missing RC_VERSION');
               return;
@@ -368,26 +310,15 @@ jobs:
                 ['Source Tag', `${targetRepo}:${rcVersion}`],
                 ['Promoted Tags', `${targetRepo}:${finalVersion}, ${targetRepo}:latest`],
               ])
-              .addHeading('Attestation');
-
-            if (rcOciAttestationUrl) {
-              await core.summary
-                .addLink(rcOciAttestationUrl, rcOciAttestationUrl)
-                .write();
-            } else {
-              await core.summary
-                .addRaw('No dedicated RC OCI attestation URL found in RC release notes.')
-                .addEOL()
-                .write();
-            }
+              .write();
 
   # --------------------------------------------------------
   # 8. Release Final: Create GitHub final release from RC assets
   # --------------------------------------------------------
   release_final:
     name: Create Final Release from RC
     if: ${{ github.event.inputs.release_candidate == 'false' && github.event.inputs.dry_run == 'false' }}
-    needs: [prepare, validate_final, resolve_rc_metadata, tag_final, promote_image]
+    needs: [prepare, validate_final, tag_final, promote_image]
     runs-on: ubuntu-latest
     permissions:
       contents: write
@@ -427,8 +358,6 @@ jobs:
         env:
           RC_TAG: ${{ needs.prepare.outputs.latest_rc_tag }}
           RC_VERSION: ${{ needs.prepare.outputs.latest_rc_version }}
-          RC_BINARY_ATTESTATION_URL: ${{ needs.resolve_rc_metadata.outputs.rc_binary_attestation_url }}
-          RC_OCI_ATTESTATION_URL: ${{ needs.resolve_rc_metadata.outputs.rc_oci_attestation_url }}
           FINAL_TAG: ${{ needs.prepare.outputs.latest_promotion_tag }}
           FINAL_VERSION: ${{ needs.prepare.outputs.latest_promotion_version }}
           TARGET_REPO: ${{ env.REGISTRY }}/${{ github.repository_owner }}/cli
@@ -444,8 +373,6 @@ jobs:
             const finalVersion = process.env.FINAL_VERSION;
             const rcTag = process.env.RC_TAG;
             const rcVersion = process.env.RC_VERSION;
-            const rcBinaryAttestationUrl = process.env.RC_BINARY_ATTESTATION_URL;
-            const rcOciAttestationUrl = process.env.RC_OCI_ATTESTATION_URL;
             const targetRepo = process.env.TARGET_REPO;
             const downloadDir = process.env.DOWNLOAD_DIR;
             const notesFile = process.env.NOTES_FILE;
@@ -498,27 +425,4 @@ jobs:
                 ['OCI Tags', `${targetRepo}:${finalVersion}, ${targetRepo}:latest (from ${rcVersion || 'n/a'})`],
                 ['Uploaded Assets', String(files.length)],
               ])
-              .addHeading('Attestation');
-
-            if (rcOciAttestationUrl) {
-              await core.summary
-                .addRaw('OCI: ')
-                .addLink(rcOciAttestationUrl, rcOciAttestationUrl)
-                .addEOL()
-                .write();
-            }
-
-            if (rcBinaryAttestationUrl) {
-              await core.summary
-                .addRaw('Binaries: ')
-                .addLink(rcBinaryAttestationUrl, rcBinaryAttestationUrl)
-                .addEOL()
-                .write();
-            }
-
-            if (!rcOciAttestationUrl && !rcBinaryAttestationUrl) {
-              await core.summary
-                .addRaw('No dedicated RC attestation URL found in RC release notes.')
-                .addEOL()
-                .write();
-            }
+              .write();
diff --git a/.github/workflows/cli.yml b/.github/workflows/cli.yml
@@ -34,12 +34,6 @@ on:
       artifact_id:
         description: "The artifact id that was built."
         value: ${{ jobs.build.outputs.artifact_id }}
-      binary_attestation_url:
-        description: "Attestation URL for built binaries (if created)."
-        value: ${{ jobs.build.outputs.binary_attestation_url }}
-      oci_attestation_url:
-        description: "Attestation URL for OCI image (if created)."
-        value: ${{ jobs.publish.outputs.oci_attestation_url }}
 
 env:
   LOCATION: "cli"                       # Folder containing the CLI source
@@ -62,7 +56,6 @@ jobs:
       artifact_name: ${{ env.ARTIFACT_NAME }}
       artifact_id: ${{ steps.upload-artifacts.outputs.artifact_id }}
       should_push_oci_image: ${{ steps.branch-check.outputs.should_push_oci_image }}  # Used by publish job
-      binary_attestation_url: ${{ steps.attest_binaries.outputs.attestation-url }}
     permissions:
       contents: read
       id-token: write         # Needed for provenance attestations
@@ -117,23 +110,11 @@ jobs:
       # Attest built binaries with provenance metadata, but only if we're not on a PR
       - name: Attest binaries
         if: ${{ github.event_name != 'pull_request' }}
-        id: attest_binaries
         uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           subject-path: "${{ env.LOCATION }}/tmp/bin/ocm-*"
-
-      - name: Summarize binary attestation
-        if: ${{ github.event_name != 'pull_request' && steps.attest_binaries.outputs.attestation-url != '' }}
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
-        env:
-          ATTESTATION_URL: ${{ steps.attest_binaries.outputs.attestation-url }}
-        with:
-          script: |
-            await core.summary
-              .addHeading('Attestation created')
-              .addLink(process.env.ATTESTATION_URL, process.env.ATTESTATION_URL)
-              .write();
+          show-summary: false
 
       # Determine if this branch is eligible for publishing, but only if we're not on a PR
       - name: Determine if this is a push-eligible branch
@@ -173,8 +154,6 @@ jobs:
       packages: write         # Needed for pushing OCI images and provenance layers
       id-token: write         # Needed for provenance attestation identity
       attestations: write     # Allows storing provenance attestation
-    outputs:
-      oci_attestation_url: ${{ steps.attest_oci.outputs.attestation-url }}
     steps:
       # Retrieve artifacts produced by the build job
       - name: Download build artifacts
@@ -227,22 +206,10 @@ jobs:
         id: digest
         run: echo "digest=$(oras resolve ${TARGET_REPO}:${TAG})" >> "$GITHUB_OUTPUT"
       - name: Attest OCI image
-        id: attest_oci
         uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           subject-digest: ${{ steps.digest.outputs.digest }}
           subject-name: ${{ env.TARGET_REPO }}
           push-to-registry: true
-
-      - name: Summarize OCI attestation
-        if: ${{ steps.attest_oci.outputs.attestation-url != '' }}
-        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
-        env:
-          ATTESTATION_URL: ${{ steps.attest_oci.outputs.attestation-url }}
-        with:
-          script: |
-            await core.summary
-              .addHeading('Attestation created')
-              .addLink(process.env.ATTESTATION_URL, process.env.ATTESTATION_URL)
-              .write();
+          show-summary: false
