ci: fix SLSA predicate schema in attestation steps (#23768)

matifali · web-flow · commit 56171306fff4 · 2026-03-30T15:07:13.000+05:00
Follow-up to #23763. The custom predicate uses the **SLSA v0.2 schema** (`invocation`, `configSource`, `metadata`) but declares `predicate-type` as v1. GitHub's attestation API rejects the mismatch: ``` Error: Failed to persist attestation: Invalid Argument - predicate is not of type slsa1.ProvenancePredicate ``` This was masked before #23763 because the steps failed earlier on missing `subject-digest`. Now that digests are provided, this is the next error. ## Fix Remove the custom `predicate-type` and `predicate` inputs. Without them, `actions/attest@v4` auto-generates a correct SLSA v1 predicate from the GitHub Actions OIDC token — which is what `gh attestation verify` expects. - `ci.yaml`: 3 attestation steps (main, latest, version-specific) - `release.yaml`: 3 attestation steps (base, main, latest) <details> <summary>Verification (source code trace of actions/attest@v4)</summary> 1. **`detect.ts`**: No `predicate-type`/`predicate` → returns `'provenance'` (not `'custom'`) 2. **`main.ts`**: `getPredicateForType('provenance')` → `generateProvenancePredicate()` 3. **`@actions/toolkit/.../provenance.ts`**: `buildSLSAProvenancePredicate()` fetches OIDC claims, builds correct v1 predicate with `buildDefinition`/`runDetails` </details> > 🤖 This PR was created with the help of Coder Agents, and needs a human review. 🧑💻
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -1340,34 +1340,6 @@ jobs:
         with:
           subject-name: ghcr.io/coder/coder-preview
           subject-digest: ${{ steps.docker_digests.outputs.main_digest }}
-          predicate-type: "https://slsa.dev/provenance/v1"
-          predicate: |
-            {
-              "buildType": "https://github.com/actions/runner-images/",
-              "builder": {
-                "id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-              },
-              "invocation": {
-                "configSource": {
-                  "uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}",
-                  "digest": {
-                    "sha1": "${{ github.sha }}"
-                  },
-                  "entryPoint": ".github/workflows/ci.yaml"
-                },
-                "environment": {
-                  "github_workflow": "${{ github.workflow }}",
-                  "github_run_id": "${{ github.run_id }}"
-                }
-              },
-              "metadata": {
-                "buildInvocationID": "${{ github.run_id }}",
-                "completeness": {
-                  "environment": true,
-                  "materials": true
-                }
-              }
-            }
           push-to-registry: true
 
       - name: GitHub Attestation for Docker image (latest tag)
@@ -1378,34 +1350,6 @@ jobs:
         with:
           subject-name: ghcr.io/coder/coder-preview
           subject-digest: ${{ steps.docker_digests.outputs.latest_digest }}
-          predicate-type: "https://slsa.dev/provenance/v1"
-          predicate: |
-            {
-              "buildType": "https://github.com/actions/runner-images/",
-              "builder": {
-                "id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-              },
-              "invocation": {
-                "configSource": {
-                  "uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}",
-                  "digest": {
-                    "sha1": "${{ github.sha }}"
-                  },
-                  "entryPoint": ".github/workflows/ci.yaml"
-                },
-                "environment": {
-                  "github_workflow": "${{ github.workflow }}",
-                  "github_run_id": "${{ github.run_id }}"
-                }
-              },
-              "metadata": {
-                "buildInvocationID": "${{ github.run_id }}",
-                "completeness": {
-                  "environment": true,
-                  "materials": true
-                }
-              }
-            }
           push-to-registry: true
 
       - name: GitHub Attestation for version-specific Docker image
@@ -1416,34 +1360,6 @@ jobs:
         with:
           subject-name: ghcr.io/coder/coder-preview
           subject-digest: ${{ steps.docker_digests.outputs.version_digest }}
-          predicate-type: "https://slsa.dev/provenance/v1"
-          predicate: |
-            {
-              "buildType": "https://github.com/actions/runner-images/",
-              "builder": {
-                "id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-              },
-              "invocation": {
-                "configSource": {
-                  "uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}",
-                  "digest": {
-                    "sha1": "${{ github.sha }}"
-                  },
-                  "entryPoint": ".github/workflows/ci.yaml"
-                },
-                "environment": {
-                  "github_workflow": "${{ github.workflow }}",
-                  "github_run_id": "${{ github.run_id }}"
-                }
-              },
-              "metadata": {
-                "buildInvocationID": "${{ github.run_id }}",
-                "completeness": {
-                  "environment": true,
-                  "materials": true
-                }
-              }
-            }
           push-to-registry: true
 
       # Report attestation failures but don't fail the workflow
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -358,34 +358,6 @@ jobs:
         with:
           subject-name: ghcr.io/coder/coder-base
           subject-digest: ${{ steps.build_base_image.outputs.digest }}
-          predicate-type: "https://slsa.dev/provenance/v1"
-          predicate: |
-            {
-              "buildType": "https://github.com/actions/runner-images/",
-              "builder": {
-                "id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-              },
-              "invocation": {
-                "configSource": {
-                  "uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}",
-                  "digest": {
-                    "sha1": "${{ github.sha }}"
-                  },
-                  "entryPoint": ".github/workflows/release.yaml"
-                },
-                "environment": {
-                  "github_workflow": "${{ github.workflow }}",
-                  "github_run_id": "${{ github.run_id }}"
-                }
-              },
-              "metadata": {
-                "buildInvocationID": "${{ github.run_id }}",
-                "completeness": {
-                  "environment": true,
-                  "materials": true
-                }
-              }
-            }
           push-to-registry: true
 
       - name: Build Linux Docker images
@@ -493,34 +465,6 @@ jobs:
         with:
           subject-name: ghcr.io/coder/coder
           subject-digest: ${{ steps.docker_digests.outputs.multiarch_digest }}
-          predicate-type: "https://slsa.dev/provenance/v1"
-          predicate: |
-            {
-              "buildType": "https://github.com/actions/runner-images/",
-              "builder": {
-                "id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-              },
-              "invocation": {
-                "configSource": {
-                  "uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}",
-                  "digest": {
-                    "sha1": "${{ github.sha }}"
-                  },
-                  "entryPoint": ".github/workflows/release.yaml"
-                },
-                "environment": {
-                  "github_workflow": "${{ github.workflow }}",
-                  "github_run_id": "${{ github.run_id }}"
-                }
-              },
-              "metadata": {
-                "buildInvocationID": "${{ github.run_id }}",
-                "completeness": {
-                  "environment": true,
-                  "materials": true
-                }
-              }
-            }
           push-to-registry: true
 
       - name: GitHub Attestation for "latest" Docker image
@@ -531,34 +475,6 @@ jobs:
         with:
           subject-name: ghcr.io/coder/coder
           subject-digest: ${{ steps.docker_digests.outputs.latest_digest }}
-          predicate-type: "https://slsa.dev/provenance/v1"
-          predicate: |
-            {
-              "buildType": "https://github.com/actions/runner-images/",
-              "builder": {
-                "id": "https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-              },
-              "invocation": {
-                "configSource": {
-                  "uri": "git+https://github.com/${{ github.repository }}@${{ github.ref }}",
-                  "digest": {
-                    "sha1": "${{ github.sha }}"
-                  },
-                  "entryPoint": ".github/workflows/release.yaml"
-                },
-                "environment": {
-                  "github_workflow": "${{ github.workflow }}",
-                  "github_run_id": "${{ github.run_id }}"
-                }
-              },
-              "metadata": {
-                "buildInvocationID": "${{ github.run_id }}",
-                "completeness": {
-                  "environment": true,
-                  "materials": true
-                }
-              }
-            }
           push-to-registry: true
 
       # Report attestation failures but don't fail the workflow
