feat(release): automated release flow — BCR + SLSA L2 + Sigstore + SBOM#32
Merged
Conversation
Merging this PR will not alter performance
|
There was a problem hiding this comment.
Pull request overview
Implements an end-to-end automated release pipeline for rules_elide driven by release-please, producing GitHub Release assets (source/docs tarballs) with SPDX SBOM + Sigstore-backed GitHub attestations (SLSA Build L2), and publishing to the Bazel Central Registry via publish-to-bcr as a reusable workflow job.
Changes:
- Rewrites the release workflow to orchestrate
release-please→ asset build/SBOM/attestations → BCR publish, and removes the old release-triggered BCR workflow. - Adds an SBOM enrichment utility (and local helper script) to merge direct
bazel_depentries fromMODULE.bazelinto the SPDX document. - Adds release-please configuration and release documentation; updates README pointer and includes design/plan docs.
Reviewed changes
Copilot reviewed 11 out of 11 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| tools/sbom_prep.sh | Local helper to generate an SPDX SBOM for the release tarball and run enrichment. |
| tools/sbom_enrich.py | Python utility to enrich SPDX SBOMs with direct MODULE.bazel bazel_dep packages + relationships. |
| tools/sbom_enrich_test.py | Unit tests for SBOM enrichment logic. |
| RELEASING.md | Maintainer-facing documentation for the automated release and provenance verification. |
| release-please-config.json | Release-please configuration for Conventional Commits-driven versioning and changelog updates. |
| README.md | Adds a pointer to the automated release/provenance documentation. |
| docs/superpowers/specs/2026-06-24-release-flow-slsa-bcr-design.md | Design document describing the intended release architecture. |
| docs/superpowers/plans/2026-06-24-release-flow.md | Implementation plan capturing steps/constraints for the release flow work. |
| .release-please-manifest.json | Seeds the release-please tracked version state. |
| .github/workflows/release.yml | Orchestrated workflow running release-please, building/uploading assets, generating/enriching SBOM, attesting provenance/SBOM, and publishing to BCR. |
| .github/workflows/publish-to-bcr.yml | Removed legacy workflow (release-event triggered BCR publish). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Sam Gammon (sgammon)
force-pushed
the
feat/release-flow
branch
from
963f24d to
096ccc9
Compare
Spec for hardening the (scaffolded-but-unused) release flow: release-please versioning, one orchestrated release.yml (release-please -> assets -> bcr), GitHub native build-provenance attestations (Sigstore keyless, SLSA Build L2), SPDX SBOM (syft + MODULE.bazel dep closure) attested and attached, and BCR publish with provenance. Reuses release_prep.sh, .bcr/*, and e2e/smoke. Signed-off-by: Sam Gammon <sam@elide.dev>
4 tasks: release-please config; SPDX SBOM enrichment tool (+tests); orchestrated release.yml (release-please -> assets+provenance -> BCR); release docs. Signed-off-by: Sam Gammon <sam@elide.dev>
Signed-off-by: Sam Gammon <sam@elide.dev>
…to it) Signed-off-by: Sam Gammon <sam@elide.dev>
Signed-off-by: Sam Gammon <sam@elide.dev>
…R workflow Fold publish-to-bcr into a single release.yml; add SBOM + Sigstore build-provenance attestations (SLSA Build L2). Signed-off-by: Sam Gammon <sam@elide.dev>
Signed-off-by: Sam Gammon <sam@elide.dev>
Signed-off-by: Sam Gammon <sam@elide.dev>
…doc sync) - SBOM: use a registered purl type `pkg:generic/bazel/<name>@<version>` (`pkg:bazel` is not a registered purl type); open files with encoding="utf-8". - SBOM test: prepend the test's dir to sys.path so it runs from the repo root (not only from tools/); update the purl assertion to match. - release-please: set `bump-patch-for-minor-pre-major: false` explicitly (pre-1.0 feat -> minor; first release v0.1.0). - Sync plan + spec docs to the implemented 0.0.0 manifest seed + bump-patch:false. Signed-off-by: Sam Gammon <sam@elide.dev>
Sam Gammon (sgammon)
force-pushed
the
feat/release-flow
branch
from
096ccc9 to
a8ffe20
Compare
Sam Gammon (sgammon)
added
dev
Dario Valdespino (darvld)
approved these changes
Jun 25, 2026
This was referenced Jun 25, 2026
This was referenced Jun 25, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Turns the scaffolded-but-never-run release setup into a working automated flow. Built via the brainstorm → spec → plan → subagent-driven execution path; design at
docs/superpowers/specs/2026-06-24-release-flow-slsa-bcr-design.md, plan atdocs/superpowers/plans/2026-06-24-release-flow.md.What it does
On merge of a release-please PR,
.github/workflows/release.ymlruns three gated jobs:release-please— Conventional-Commits versioning; cuts tagvX.Y.Z+ GitHub Release (CHANGELOG notes).assets— builds source + Stardoc-docs tarballs (release_prep.sh), generates an SPDX SBOM (syft) enriched with theMODULE.bazeldep closure, uploads all three assets, and attests build provenance (SLSA Build L2) + the SBOM — signed keyless via Sigstore (Fulcio/Rekor).bcr— publishes to the Bazel Central Registry viabazel-contrib/publish-to-bcr, called as a reusable-workflow job (sidesteps theGITHUB_TOKENrelease-event recursion guard).Key decisions
attest-build-provenance(L3 viaslsa-github-generatoris documented out-of-scope).publish-to-bcr.ymlis folded in;release_prep.sh,.bcr/*, ande2e/smokeare reused unchanged.0.0.0+bump-minor-pre-major(nobump-patch-for-minor-pre-major) so the first release isv0.1.0and pre-1.0 uses feat→minor / fix→patch.Files
release-please-config.json,.release-please-manifest.json,tools/sbom_enrich.py(+sbom_enrich_test.py, 3/3 passing),tools/sbom_prep.sh,RELEASING.md.github/workflows/release.yml.github/workflows/publish-to-bcr.ymlREADME.md(release/provenance pointer),CHANGELOG.md(preserved; release-please appends)PUBLISH_TOKENsecret with push access to theelide-dev/bazel-central-registryfork (already referenced by the old workflow).v0.1.0release is the true end-to-end integration test — tag-triggered provenance/BCR can't be fully exercised locally.Follow-ups (non-blocking, from review)
CHANGELOG.md[Unreleased]section into release-please's generated0.1.0notes.filesAnalyzed/downloadLocation,encoding="utf-8", progress-count) deferred.All actions pinned by SHA; every job hardened (
step-security/harden-runner); per-job least-privilege permissions. Final whole-branch review passed (one blocker — the first-version mechanism — fixed in this branch).