Skip to content

Modify release workflow to allow immutable releases #410

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 5, 2025
Merged

Modify release workflow to allow immutable releases #410

merged 1 commit into from
Nov 5, 2025
+105 −10

Conversation

@asgrim
Copy link
Collaborator

@asgrim asgrim commented Nov 4, 2025
edited
Loading

Fixes #411

Instead of creating the release by hand and then having a workflow triggered to add the release, which is not possible if immutable releases are enabled, we will now:

  • run the release workflow on "tag" instead of "release"
  • the workflow creates a DRAFT release based on the tag that triggered
  • the workflow then attaches the PHAR to the release
  • maintainer must then review the release, ensure it is correct, then publish

Once the release is published (assuming immutable releases are enabled):

  • the tag is immutable
  • the attached assets on the release are immutable
  • the flag that dictates pre-release/latest release status is immutable
  • the release changelog may still be changed
  • the release title may still be changed
  • a release attestation is added to the release which can be verified

The release can be verified with:

gh release verify <release-tag>

A given pie.phar on your machine can be verified as the release asset with:

gh release verify-asset <release-tag> pie.phar

For more documentation, see:
https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases

@asgrim
Modify release workflow to allow immutable releases
458bf2d 
Instead of creating the release by hand and then having a workflow triggered
to add the release, which is not possible if immutable releases are enabled,
we will now:

 - run the release workflow on "tag" instead of "release"
 - the workflow creates a DRAFT release based on the tag that triggered
 - the workflow then attaches the PHAR to the release
 - maintainer must then review the release, ensure it is correct, then publish

Once the release is published (assuming immutable releases are enabled):

 - the tag is immutable
 - the attached assets on the release are immutable
 - the flag that dictates pre-release/latest release status is immutable
 - the release changelog may still be changed
 - the release title may still be changed
 - a release attestation is added to the release which can be verified

The release can be verified with:

```shell
gh release verify <release-tag>
```

A given `pie.phar` on your machine can be verified as the release asset with:

```shell
gh release verify-asset <release-tag> pie.phar
```

For more documentation, see:
https://docs.github.com/en/code-security/supply-chain-security/understanding-your-software-supply-chain/immutable-releases
@asgrim asgrim self-assigned this Nov 4, 2025
@asgrim asgrim added documentation Improvements or additions to documentation enhancement New feature or request github_actions Pull requests that update GitHub Actions code labels Nov 4, 2025
@asgrim asgrim added this to the 1.3.0 milestone Nov 4, 2025
@asgrim asgrim merged commit fe7e8e9 into php:main Nov 5, 2025
28 checks passed
@asgrim asgrim deleted the modify-release-workflow-for-immutable-releases branch November 5, 2025 15:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@asgrim asgrim

Labels

documentation Improvements or additions to documentation enhancement New feature or request github_actions Pull requests that update GitHub Actions code

Projects

None yet

Milestone

1.3.0

Development

Successfully merging this pull request may close these issues.

Investigate immutable releases

1 participant

@asgrim