From 005ab91255e724a707c5e2ada941a744aa1ba4fb Mon Sep 17 00:00:00 2001
From: Brian Love <brian@liveloveapp.com>
Date: Fri, 19 Jun 2026 15:01:20 -0700
Subject: [PATCH] ci(slsa): make release-provenance dispatchable +
 upload-tag-name
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds workflow_dispatch(tag) and passes upload-tag-name to the SLSA generator
so the attestation uploads to the right release regardless of github.ref.
This lets the flow be verified by dispatching against an existing tag
(e.g. v0.0.50) from main — without blind-firing a real release, and
sidestepping the tag-commit-binding that made earlier fixes untestable.
Also pins the build to the tag's code (checkout ref) so the tarballs match
what shipped.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .github/workflows/release-provenance.yml | 23 ++++++++++++++++++++++-
 1 file changed, 22 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release-provenance.yml b/.github/workflows/release-provenance.yml
index aa7a1e66..3cce243c 100644
--- a/.github/workflows/release-provenance.yml
+++ b/.github/workflows/release-provenance.yml
@@ -1,8 +1,22 @@
 name: Release provenance (SLSA)
 
+# Attaches npm-pack tarballs + a signed SLSA provenance (*.intoto.jsonl) to a
+# GitHub Release so OSSF Scorecard's Signed-Releases check can verify them.
+# Runs automatically on a published release, and can be dispatched manually
+# against an existing tag. `upload-tag-name` lets the dispatch path upload to
+# the right release even though github.ref is a branch, not the tag — which
+# also sidesteps the "release events run the workflow from the tag commit"
+# trap (a fix on main can be exercised by dispatching it against an old tag).
+
 on:
   release:
     types: [published]
+  workflow_dispatch:
+    inputs:
+      tag:
+        description: "Existing release tag to attest (e.g. v0.0.50)"
+        required: true
+        type: string
 
 permissions:
   contents: read
@@ -17,10 +31,16 @@ jobs:
       contents: write # gh release upload attaches tarballs to the release
     outputs:
       hashes: ${{ steps.hash.outputs.hashes }}
+      tag: ${{ steps.tag.outputs.tag }}
     env:
       NPM_PUBLISHABLE_PROJECTS: chat,langgraph,ag-ui,render,a2ui,licensing,telemetry
     steps:
+      - name: Resolve target tag
+        id: tag
+        run: echo "tag=${{ github.event.release.tag_name || inputs.tag }}" >> "$GITHUB_OUTPUT"
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          ref: ${{ steps.tag.outputs.tag }}
       - uses: actions/setup-node@53b83947a5a98c8d113130e565377fae1a50d02f # v6.3.0
         with:
           node-version: 24
@@ -44,7 +64,7 @@ jobs:
       - name: Upload tarballs to the release
         env:
           GH_TOKEN: ${{ github.token }}
-        run: gh release upload "${{ github.event.release.tag_name }}" --clobber -- release-artifacts/*.tgz
+        run: gh release upload "${{ steps.tag.outputs.tag }}" --clobber -- release-artifacts/*.tgz
 
   provenance:
     needs: [build-artifacts]
@@ -56,3 +76,4 @@ jobs:
     with:
       base64-subjects: ${{ needs.build-artifacts.outputs.hashes }}
       upload-assets: true
+      upload-tag-name: ${{ needs.build-artifacts.outputs.tag }}