What's new in v0.7.1
v0.7.1 is a supply-chain maintenance release. The SLSA build provenance tooling moves from slsa-framework/slsa-github-generator@v2.1.0 (in de-facto maintenance since 2025-02-24, all internal actions stuck on Node.js 20 while GitHub-hosted runners switch to Node 24 default on 2 June 2026) to GitHub-native actions/attest-build-provenance. The new pipeline produces a SLSA Build L3 attestation (level up from L2), stores it on the GitHub attestations API instead of a release asset, and is verified with gh attestation verify instead of slsa-verifier verify-artifact. Daemon and verify-hash behavior on already-clean inputs is preserved byte-for-byte from v0.7.0.
Breaking change for downstream verification
A script that fetched multiple.intoto.jsonl from the release assets and ran slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl ... no longer works on 0.7.1+ binaries. The asset is no longer published. Migration on the consumer side:
# v0.7.0 (legacy, still works for the v0.7.0 binary):
slsa-verifier verify-artifact \
--provenance-path multiple.intoto.jsonl \
--source-uri github.com/robintra/perf-sentinel \
--source-tag v0.7.0 \
perf-sentinel-linux-amd64
# v0.7.1+ (new):
gh attestation verify perf-sentinel-linux-amd64 \
--owner robintra \
--repo perf-sentinelRequires gh CLI 2.49+ (earlier versions do not implement gh attestation verify). The v0.7.0 release retains its legacy multiple.intoto.jsonl and is unaffected, the breaking change applies only to v0.7.1 onward.
SLSA pipeline migration
actions/attest-build-provenance@v4.1.0replaces the previous reusable workflow. SHA-pinned in.github/workflows/release.yml, same pattern ashelm-release.ymlwas already using for the chart attestation.- Two release-workflow jobs collapsed:
compute-subjects(base64-encoded SHA list, was an input to the reusable generator) and the standaloneprovenancereusable workflow call are removed. The attestation step now runs inside the existingreleasejob, right after the SHA256SUMS generation. - SLSA level claim bumped from L2 to L3.
actions/attest-build-provenanceproduces a level-3 attestation by construction (provenance signed via Sigstore OIDC, builder isolation on a GitHub-hosted runner), so theintegrity.binary_attestation.slsa_levelfield declared in disclosure reports now reads"L3"for 0.7.1+ builds. - Attestation lives in the GitHub attestations API, queryable by binary digest. No release-asset payload to mirror or republish, the trust root is the GitHub OIDC signing identity in Sigstore Rekor public.
verify-hash hint update
verify_binary_attestationnow printsVerify the binary with \gh attestation verify --owner robintra --repo perf-sentinel`instead of the previousslsa-verifier verify-artifact --provenance-path ...` recipe.- PARTIAL exit code (
2) trigger is nowghCLI absent instead ofslsa-verifierabsent. The behavior of a scriptedverify-hash && deploygate is unchanged: it still blocks on any non-zero code. - No change to content hash recompute, Sigstore signature verification, identity binding, or any other check. The migration is scoped to the SLSA verification slot only.
Documentation
docs/SUPPLY-CHAIN.mdanddocs/FR/SUPPLY-CHAIN-FR.md§"SLSA build provenance" rewritten end-to-end with the newgh attestation verifycommand, theghCLI prerequisite, and a migration note for consumers still pinned on v0.7.0.docs/REPORTING.md+ FR §"Binary build provenance" and the exit code table cell for PARTIAL updated.docs/SCHEMA.md+ FR §"Integrity" documents both verification commands (the legacy one for v0.7.0, the new one for v0.7.1+) and explains theslsa_levelenum bump.docs/METHODOLOGY.md+ FR §"Cryptographic integrity" mentions both pipelines side by side.docs/design/10-SIGSTORE-ATTESTATION.md+ FR §"Failure modes" rewrites the binary attestation delegation paragraph.- Example reports under
docs/schemas/examples/bump theirintegrity.binary_verification_urlto v0.7.1.
Helm chart
charts/perf-sentinel 0.2.35 to 0.2.36, appVersion 0.7.0 to 0.7.1. The artifacthub.io/changes annotation surfaces the SLSA migration and the breaking-change recipe on Artifact Hub. See chart-v0.2.36 release for the chart-side detail.
Why this migration was scoped to a 0.7.1 patch
perf-sentinel is pre-1.0 (0.y.z), where semver explicitly allows breaking changes between minor or patch versions. The migration was scoped to a patch rather than a minor (0.8.0) because the only externally-visible breakage is the slsa-verifier to gh attestation verify recipe, which a consumer can opt into immediately by following the migration block above. The daemon binary, the disclose and verify-hash subcommands, the report JSON schema, and the Helm chart manifests are all backward-compatible on the contracts they exposed in v0.7.0.
Full Changelog: v0.7.0...v0.7.1