Back

ruff #23111

[ruff] Add attestions for release artifacts and Docker images

by shaanmajid · Feb 06, 2026 at 19:12 UTC · scan-c3abccdad59d08fc

View on Github · Download JSON

High Risk (55%)

Get this automatically on every PR

Install the Axiomo GitHub App to get Signals as check runs and PR comments on every pull request.

Install App

Risk Assessment

Risk level: High (55%)

Risk Drivers

new_contributor: First contribution from shaanmajid
touches_ci_config: Modifies ci_config code

Intent

2/3 criteria met

Add attestations for release artifacts and Docker images

Acceptance Criteria

✓
Add GitHub artifact attestations (SLSA provenance) for release artifacts
.github/workflows/release.yml updates include attestation permissions
✓
Add GitHub artifact attestations for Docker images
.github/workflows/build-docker.yml updates include attestation permissions
?
Enable verification of artifacts via specified commands
Commands are noted in PR description, but not verifiable from diff

Confidence: 90.0% Source: pr description AI: openai

Contributors

shaanmajid PR Author 3 commits ? New Contributor

Account Age: 1980 days

Prior PRs: 1

First-time contributor to this repository. unfamiliar with 3 files.

Evidence

Evidence Completeness: 0.0%

Missing: ci_passing, tests_passing, lint_passing, security_scan_clean, coverage_maintained, build_successful

Supply Chain

Elevated Risk

Modifies dependencies

Modifies lockfile

Modifies CI config

Modifies build scripts

Focus Files

Focus on 1 critical file(s)

.github/workflows/build-docker.yml +59

Modifies ci_config code; 59 lines changed; Configuration

critical

.github/workflows/release.yml +15

Modifies ci_config code; Configuration

high

dist-workspace.toml +10

Configuration

low

Triage

minutes to review

medium

effort level

none

staleness risk

Prioritize for security-sensitive review

Recommendation

NEEDS DISCUSSION 23.0% readiness

Insufficient evidence (CI/tests) to evaluate

Next Steps

Concern


                                    .github/workflows/build-docker.yml

Requires security review for ci_config changes

Question

Why is ci_passing missing? Consider adding this check.

Question

Why is tests_passing missing? Consider adding this check.

Concern


                                    .github/workflows/build-docker.yml

Critical file: Modifies ci_config code; 59 lines changed; Configuration

Suggestion


                                    .github/workflows/build-docker.yml

CI configuration changed - verify build/deploy behavior

Nitpick

First contribution - consider welcoming and providing extra context