Skip to content

fix(ci): revert SLSA builder to v2.0.0#427

Merged
CybotTM merged 1 commit intomainfrom
fix/slsa-builder-v2.0.0
Dec 23, 2025
Merged

fix(ci): revert SLSA builder to v2.0.0#427
CybotTM merged 1 commit intomainfrom
fix/slsa-builder-v2.0.0

Conversation

@CybotTM
Copy link
Member

@CybotTM CybotTM commented Dec 23, 2025

Summary

  • The v2.1.0 SLSA builder incorrectly detects the repository as private
  • This causes all builds to fail with: "Repository is private. The workflow has halted..."
  • The repository is public and private-repository: false is set
  • Reverting to v2.0.0 which worked correctly for v0.17.0 release

Test plan

  • Verify the release workflow completes successfully after this fix

Copilot AI review requested due to automatic review settings December 23, 2025 14:23
@CybotTM CybotTM enabled auto-merge December 23, 2025 14:23
@github-actions
Copy link

github-actions bot commented Dec 23, 2025
edited
Loading

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
actions/slsa-framework/slsa-github-generator/.github/workflows/builder_go_slsa3.yml 5a775b367a56d5bd118a224a811bba288150a563 🟢 7.4
Details
CheckScoreReason
Maintained🟢 61 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 6
Security-Policy🟢 10security policy file detected
Binary-Artifacts🟢 10no binaries found in the repo
Dependency-Update-Tool🟢 10update tool detected
Code-Review🟢 10all changesets reviewed
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions🟢 10GitHub workflow tokens follow principle of least privilege
Pinned-Dependencies🟢 4dependency not pinned by hash detected -- score normalized to 4
CII-Best-Practices🟢 5badge detected: Passing
Signed-Releases🟢 105 out of the last 5 releases have a total of 5 signed artifacts.
Fuzzing⚠️ 0project is not fuzzed
SAST🟢 10SAST tool is run on all commits
License🟢 10license file detected
Branch-Protection⚠️ 2branch protection is not maximal on development and all release branches
CI-Tests🟢 1028 out of 28 merged PRs checked by a CI test -- score normalized to 10
Vulnerabilities⚠️ 025 existing vulnerabilities detected
Contributors🟢 10project has 29 contributing companies or organizations

Scanned Files

  • .github/workflows/release-slsa.yml

Copilot AI reviewed Dec 23, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR reverts the SLSA GitHub Generator from v2.1.0 to v2.0.0 to fix a CI failure where v2.1.0 incorrectly identifies the public repository as private, causing all release builds to fail despite private-repository: false being explicitly set.

  • Reverts SLSA builder version from v2.1.0 (commit hash) to v2.0.0 (tag reference)

@CybotTM
fix(ci): revert SLSA builder to v2.0.0
3bdbde1 
The v2.1.0 SLSA builder incorrectly detects the repository as private even
though it's public and 'private-repository: false' is set. This causes all
builds to fail immediately.

Reverting to v2.0.0 which worked correctly for v0.17.0 release.
@CybotTM CybotTM force-pushed the fix/slsa-builder-v2.0.0 branch from bb13c6a to 3bdbde1 Compare December 23, 2025 14:30
@CybotTM CybotTM added this pull request to the merge queue Dec 23, 2025
Merged via the queue into main with commit 336b80a Dec 23, 2025
26 checks passed
@CybotTM CybotTM deleted the fix/slsa-builder-v2.0.0 branch December 23, 2025 14:35
@CybotTM CybotTM added the released:v0.17.1 Released in v0.17.1 label Dec 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

released:v0.17.1 Released in v0.17.1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@CybotTM