build: fix failing provenance job

jakec-dev · jakec-dev · commit f03cb1a09602 · 2025-06-02T12:03:19.000+10:00
diff --git a/.github/workflows/release-manual.yml b/.github/workflows/release-manual.yml
@@ -140,4 +140,6 @@ jobs:
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
     with:
       base64-subjects: "${{ needs.release.outputs.hashes }}"
-      upload-assets: true
+      upload-assets: true
+      compile-generator: true  # Self-contained build to avoid Rekor dependency issues
+      
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -64,4 +64,6 @@ jobs:
     uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
     with:
       base64-subjects: "${{ needs.goreleaser.outputs.hashes }}"
-      upload-assets: true
+      upload-assets: true
+      compile-generator: true  # Self-contained build to avoid Rekor dependency issues
+      
diff --git a/docs/RELEASE_SETUP.md b/docs/RELEASE_SETUP.md
@@ -125,7 +125,7 @@ If something goes wrong:
    - Immediately create a security advisory
    - Prepare a patch release
    - Follow responsible disclosure practices
-
+Unexpected value 'continue-on-error'
 ## Monitoring
 
 ### OpenSSF Scorecard
@@ -164,6 +164,11 @@ Each release should include:
    - Verify GoReleaser configuration
    - Check workflow permissions
 
+4. **SLSA provenance generation fails (exit code 27)**:
+   - This is caused by external Rekor service unavailability
+   - Our workflows use `compile-generator: true` to avoid this dependency
+   - The generated provenance is still valid and secure
+
 ### Getting Help
 
 - GoReleaser docs: https://goreleaser.com
