Back to Zeroclaw

Release Runbook — Attestation Step Failure

docs/maintainers/release-attestation-runbook.md

0.8.33.4 KB
Original Source

Release Runbook — Attestation Step Failure

File: .github/workflows/release-stable-manual.ymlpublish job Step: Attach SLSA provenance attestation Policy: continue-on-error: true (Phase A — best-effort)


Symptoms

  • The Attach SLSA provenance attestation step logs a failure
  • The Download attestation bundles for offline verification step fails or is skipped
  • The Create tag and release step runs anyway
  • If attestation failed, release notes include an attestation-unavailable note with the workflow run URL
  • If bundle download failed, online verification still works but release assets lack offline bundle files

Immediate Triage

Read the step log. Match the error:

Error PatternLikely CauseAction
401 UnauthorizedOIDC token issue — transientRetry the workflow. If it passes, done.
429 Too Many RequestsGitHub API rate limit — burstWait 5 minutes, retry.
500 Internal Server ErrorGitHub API outageCheck status.github.com. Retry when green.
404 Not FoundSubject path glob matched nothing or attestation not visible yetCheck release-assets/ directory contents. Retry if assets exist.
could not parse OIDC tokenRunner identity issueCheck id-token: write permission is still on the publish job.
unknown flagGitHub CLI interface changedUpdate the affected gh attestation invocation and docs together.
Timeout (>260s)Network issue or GH API slowRetry. If persistent, check runner connectivity.

Decision Matrix

ScenarioActionEscalation?
First failure in weeksRetry the workflowNo
2-3 failures in a rowRetry once. If still fails, check status.github.comNo
3+ consecutive releases failingInvestigate permissions or action version changeFile a security issue with collected evidence
Every release fails since deployBug in the workflow change — revert the attestation stepPage author

How to Retry

  1. Go to the failed workflow run
  2. Click Re-run jobsRe-run failed jobs
  3. Only the publish job re-runs — build artifacts are preserved

If All Else Fails — Manual Remediation

If attestation succeeded but bundle download failed, users can still download bundles themselves:

bash
gh attestation download <artifact> --repo zeroclaw-labs/zeroclaw
gh attestation trusted-root > trusted_root.jsonl
gh attestation verify <artifact> \
  --repo zeroclaw-labs/zeroclaw \
  --signer-workflow zeroclaw-labs/zeroclaw/.github/workflows/release-stable-manual.yml \
  --source-digest <commit-sha> \
  --bundle sha256:<digest>.jsonl \
  --custom-trusted-root trusted_root.jsonl

If the release was published without attestations, document the gap in the release notes:

bash
gh release edit <tag> --notes-file - <<EOF
NOTE: SLSA attestation is unavailable for this release due to a
transient pipeline failure. See PR #8277 for context.
EOF

Key constraint: Attestation generation requires GitHub's OIDC token, which only exists inside a workflow run. You cannot retroactively generate attestations from a local machine.


Prevention

  • Consider promoting to Phase B (continue-on-error: false + alert on failure) once Phase A has stabilized
  • Monitor attestation step duration — sudden slowdowns precede outages
  • Keep actions/attest-build-provenance version pinned (already done)