Skip to content

Add release attestations #15020

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Oct 17, 2025
Merged

Add release attestations #15020

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
a0ebd97
Add release attestations
trask Oct 16, 2025
fa0d1bc
keep asc
trask Oct 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 12 additions & 3 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ jobs:
release:
permissions:
contents: write # for creating the release
id-token: write # for signing artifacts with Sigstore
attestations: write # for uploading attestations
runs-on: ubuntu-latest
needs:
- common
Expand Down Expand Up @@ -170,19 +172,26 @@ jobs:
.github/scripts/generate-release-contributors.sh v$PRIOR_VERSION >> /tmp/release-notes.txt
fi

- name: Simplify jar path for attesting and attaching
run: |
cp javaagent/build/libs/opentelemetry-javaagent-${VERSION}.jar opentelemetry-javaagent.jar

- uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
with:
subject-path: |
opentelemetry-javaagent.jar
opentelemetry-java-instrumentation-SBOM.zip

- id: create-github-release
name: Create GitHub release
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
cp javaagent/build/libs/opentelemetry-javaagent-${VERSION}.jar opentelemetry-javaagent.jar
cp javaagent/build/libs/opentelemetry-javaagent-${VERSION}.jar.asc opentelemetry-javaagent.jar.asc
gh release create --target $GITHUB_REF_NAME \
--title "Version $VERSION" \
--notes-file /tmp/release-notes.txt \
v$VERSION \
opentelemetry-javaagent.jar \
opentelemetry-javaagent.jar.asc \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would it make sense to keep uploading the signature so that people who are using them could keep doing what they are already doing. https://some-natalie.dev/blog/signing-attesting-builds/#a-food-analogy suggests that both could be done

opentelemetry-java-instrumentation-SBOM.zip

# these are used as job outputs
Expand Down
6 changes: 4 additions & 2 deletions RELEASING.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -65,8 +65,10 @@ and deadlocks.
- Run the [Release workflow](https://github.com/open-telemetry/opentelemetry-java-instrumentation/actions/workflows/release.yml).
- Press the "Run workflow" button, then select the release branch from the dropdown list,
e.g. `release/v1.9.x`, and click the "Run workflow" button below that.
- This workflow will publish the artifacts to maven central and will publish a GitHub release
with release notes based on the change log and with the javaagent jar attached.
- This workflow will:
- Publish the artifacts to Maven Central
- Generate [GitHub Artifact Attestations](https://docs.github.com/en/actions/security-for-github-actions/using-artifact-attestations) for the Java agent jar and SBOM bundle
- Publish a GitHub release with release notes, Java agent jar, and SBOM bundle
- Review and merge the pull request that it creates for updating the apidiff baseline version
to the newly released version (note that this pull request won't be made until after the release
is available in maven central).
Expand Down