We re-review every pinned-SHA bump of this action downstream at apache/infrastructure-actions#915, rebuilding dist/ from source and reconciling any in-tree binaries against upstream provenance. v4.0.0 fails on two counts:
-
dist/ doesn't reproduce from source. Rebuilding from the v4.0.0 source (after the tsconfig.json lib: ["es2022"] change) produces a different dist/index.js / dist/thread.js than what's committed, so we can't confirm the published bundle corresponds to the source it's built from.
-
dist/elf_cam_bg.wasm has no provenance. It's committed directly to the repo, and the v4.0.0 release ships no assets — no SHA256SUMS, no SLSA attestation — so there's no way to tie the binary's bytes back to a build.
Would you consider (a) making the dist/ build reproducible so it can be verified from source, and (b) adding actions/attest-build-provenance to the release workflow (or shipping a SHA256SUMS asset) so the bundled .wasm is verifiable? Happy to help with a PR.
We re-review every pinned-SHA bump of this action downstream at apache/infrastructure-actions#915, rebuilding
dist/from source and reconciling any in-tree binaries against upstream provenance. v4.0.0 fails on two counts:dist/doesn't reproduce from source. Rebuilding from the v4.0.0 source (after thetsconfig.jsonlib: ["es2022"]change) produces a differentdist/index.js/dist/thread.jsthan what's committed, so we can't confirm the published bundle corresponds to the source it's built from.dist/elf_cam_bg.wasmhas no provenance. It's committed directly to the repo, and the v4.0.0 release ships no assets — noSHA256SUMS, no SLSA attestation — so there's no way to tie the binary's bytes back to a build.Would you consider (a) making the
dist/build reproducible so it can be verified from source, and (b) addingactions/attest-build-provenanceto the release workflow (or shipping aSHA256SUMSasset) so the bundled.wasmis verifiable? Happy to help with a PR.