Skip to content

Re-enable SLSA build provenance once upstream supports Node24 runners #147

Description

@felixgeelhaar

Problem

The slsa-provenance job in .github/workflows/release.yml (slsa-framework/slsa-github-generator generator_generic_slsa3.yml@v2.1.0) started failing on every release: GitHub now forces Node20 actions onto Node24 runners, and v2.1.0's internal actions break under Node24 ("Input required and not supplied: path", exit 127). v2.1.0 is the latest release — there is nothing newer to bump to, and continue-on-error is not allowed on reusable-workflow jobs.

Confirmed: the job passed on v0.76.0 and failed on v0.77.0 (release itself succeeded — binaries, GHCR docker images, cosign sigs, SBOMs all published).

Interim (done)

Disabled the job via if: ${{ vars.ENABLE_SLSA_PROVENANCE == 'true' }} (unset = skipped). The release retains GitHub-native build-provenance attestation (the goreleaser job's actions/attest-build-provenance step), verifiable with gh attestation verify — so provenance is still attested, just not the SLSA-framework .intoto.jsonl.

To re-enable

When slsa-github-generator ships a Node24-compatible release:

  1. Bump the uses: pin (SHA + version) in release.yml.
  2. Set repo variable ENABLE_SLSA_PROVENANCE=true.

Refs: v0.77.0 release run, https://github.blog/changelog/2025-09-19-deprecation-of-node-20-on-github-actions-runners/

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions