Skip to content

Make release workflow compatible with immutable releases #8454

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
aarongable merged 1 commit into from
Oct 27, 2025
Merged

Make release workflow compatible with immutable releases #8454

aarongable merged 1 commit into from
Oct 27, 2025

Conversation

@aarongable
Copy link
Contributor

@aarongable aarongable commented Oct 23, 2025

Separate the release workflow into three sequential jobs. The first simply creates a draft release, the second (which can be multiple parallel jobs, if there's a matrix of go versions) builds all the relevant release artifacts and uploads them to container registries and to the release itself, and the third takes the release out of draft mode if and only if the previous jobs succeeded.

This separation allows us to adopt Immutable Releases, which can provide attestations that release artifacts are not modified after they're created. This is because the release only becomes immutable once it is taken out of draft mode, so as long as it's just a draft, multiple different jobs can upload artifacts to it.

Along the way, make a few other small improvements to the release workflow, such as avoiding directly interpolating ${{ github.ref_name }} and using a pinned version of the docker/login-action to authenticate to ghcr.

Fixes #8380

@aarongable
Copy link
Contributor Author

aarongable commented Oct 23, 2025

Demonstration of this working can be seen on my personal fork of boulder.

First the release is created as a draft:
Screenshot-2025-10-23T15:47:47-07:00

Then the multi-stage job runs:
Screenshot-2025-10-23T15:48:10-07:00

And when it's done, the release is successfully populated with artifacts from multiple jobs:
image

@aarongable aarongable marked this pull request as ready for review October 23, 2025 23:12
@aarongable aarongable requested a review from a team as a code owner October 23, 2025 23:12
@aarongable aarongable merged commit ac08b11 into main Oct 27, 2025
13 checks passed
@aarongable aarongable deleted the immutable-release branch October 27, 2025 22:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jprenken jprenken jprenken approved these changes

@beautifulentropy beautifulentropy beautifulentropy approved these changes

@jsha jsha Awaiting requested review from jsha

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Revamp release workflow to allow for immutable releases

4 participants

@aarongable @jprenken @beautifulentropy