github robintra/perf-sentinel v0.7.1

latest releases: chart-v0.9.4, v0.9.4, chart-v0.9.3...
one month ago

What's new in v0.7.1

v0.7.1 is a supply-chain maintenance release. The SLSA build provenance tooling moves from slsa-framework/slsa-github-generator@v2.1.0 (in de-facto maintenance since 2025-02-24, all internal actions stuck on Node.js 20 while GitHub-hosted runners switch to Node 24 default on 2 June 2026) to GitHub-native actions/attest-build-provenance. The new pipeline produces a SLSA Build L3 attestation (level up from L2), stores it on the GitHub attestations API instead of a release asset, and is verified with gh attestation verify instead of slsa-verifier verify-artifact. Daemon and verify-hash behavior on already-clean inputs is preserved byte-for-byte from v0.7.0.

Breaking change for downstream verification

A script that fetched multiple.intoto.jsonl from the release assets and ran slsa-verifier verify-artifact --provenance-path multiple.intoto.jsonl ... no longer works on 0.7.1+ binaries. The asset is no longer published. Migration on the consumer side:

# v0.7.0 (legacy, still works for the v0.7.0 binary):
slsa-verifier verify-artifact \
  --provenance-path multiple.intoto.jsonl \
  --source-uri github.com/robintra/perf-sentinel \
  --source-tag v0.7.0 \
  perf-sentinel-linux-amd64

# v0.7.1+ (new):
gh attestation verify perf-sentinel-linux-amd64 \
  --owner robintra \
  --repo perf-sentinel

Requires gh CLI 2.49+ (earlier versions do not implement gh attestation verify). The v0.7.0 release retains its legacy multiple.intoto.jsonl and is unaffected, the breaking change applies only to v0.7.1 onward.

SLSA pipeline migration

  • actions/attest-build-provenance@v4.1.0 replaces the previous reusable workflow. SHA-pinned in .github/workflows/release.yml, same pattern as helm-release.yml was already using for the chart attestation.
  • Two release-workflow jobs collapsed: compute-subjects (base64-encoded SHA list, was an input to the reusable generator) and the standalone provenance reusable workflow call are removed. The attestation step now runs inside the existing release job, right after the SHA256SUMS generation.
  • SLSA level claim bumped from L2 to L3. actions/attest-build-provenance produces a level-3 attestation by construction (provenance signed via Sigstore OIDC, builder isolation on a GitHub-hosted runner), so the integrity.binary_attestation.slsa_level field declared in disclosure reports now reads "L3" for 0.7.1+ builds.
  • Attestation lives in the GitHub attestations API, queryable by binary digest. No release-asset payload to mirror or republish, the trust root is the GitHub OIDC signing identity in Sigstore Rekor public.

verify-hash hint update

  • verify_binary_attestation now prints Verify the binary with \gh attestation verify --owner robintra --repo perf-sentinel`instead of the previousslsa-verifier verify-artifact --provenance-path ...` recipe.
  • PARTIAL exit code (2) trigger is now gh CLI absent instead of slsa-verifier absent. The behavior of a scripted verify-hash && deploy gate is unchanged: it still blocks on any non-zero code.
  • No change to content hash recompute, Sigstore signature verification, identity binding, or any other check. The migration is scoped to the SLSA verification slot only.

Documentation

  • docs/SUPPLY-CHAIN.md and docs/FR/SUPPLY-CHAIN-FR.md §"SLSA build provenance" rewritten end-to-end with the new gh attestation verify command, the gh CLI prerequisite, and a migration note for consumers still pinned on v0.7.0.
  • docs/REPORTING.md + FR §"Binary build provenance" and the exit code table cell for PARTIAL updated.
  • docs/SCHEMA.md + FR §"Integrity" documents both verification commands (the legacy one for v0.7.0, the new one for v0.7.1+) and explains the slsa_level enum bump.
  • docs/METHODOLOGY.md + FR §"Cryptographic integrity" mentions both pipelines side by side.
  • docs/design/10-SIGSTORE-ATTESTATION.md + FR §"Failure modes" rewrites the binary attestation delegation paragraph.
  • Example reports under docs/schemas/examples/ bump their integrity.binary_verification_url to v0.7.1.

Helm chart

charts/perf-sentinel 0.2.35 to 0.2.36, appVersion 0.7.0 to 0.7.1. The artifacthub.io/changes annotation surfaces the SLSA migration and the breaking-change recipe on Artifact Hub. See chart-v0.2.36 release for the chart-side detail.

Why this migration was scoped to a 0.7.1 patch

perf-sentinel is pre-1.0 (0.y.z), where semver explicitly allows breaking changes between minor or patch versions. The migration was scoped to a patch rather than a minor (0.8.0) because the only externally-visible breakage is the slsa-verifier to gh attestation verify recipe, which a consumer can opt into immediately by following the migration block above. The daemon binary, the disclose and verify-hash subcommands, the report JSON schema, and the Helm chart manifests are all backward-compatible on the contracts they exposed in v0.7.0.

Full Changelog: v0.7.0...v0.7.1

Don't miss a new perf-sentinel release

NewReleases is sending notifications on new releases.