ReaperCI Documentation

ReaperCI documentation

Release verification

ReaperCI release assets are reproducible inputs for Linux amd64 and arm64, not trust-on-first-download files. Every release contains architecture-specific hub/connector archives, SPDX JSON SBOMs, an installer bundle, the production Compose definition, SHA-256 checksums, and a keyless Sigstore bundle for those checksums. The multi-architecture OCI image also carries BuildKit SBOM and provenance attestations and is signed by the release workflow identity.

Verify downloaded assets

Install cosign, then download checksums.txt, checksums.txt.sigstore.json, and the required release files into one directory. Verify the workflow identity before trusting the checksum list:

version=v0.1.0
cosign verify-blob \
  --bundle checksums.txt.sigstore.json \
  --certificate-identity-regexp "^https://github.com/clow99/ReaperCI/.github/workflows/release.yml@refs/tags/${version}$" \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  checksums.txt
sha256sum --ignore-missing --check checksums.txt

The identity expression must name this repository, this workflow, and the exact release tag. Do not weaken it to a generic GitHub pattern. Inspect the matching linux-amd64.spdx.json or linux-arm64.spdx.json before installation when software inventory policy applies.

Verify the container image

Resolve and verify the immutable digest rather than trusting a mutable tag:

image=ghcr.io/clow99/reaperci:v0.1.0
digest="$(docker buildx imagetools inspect "$image" --format '{{json .Manifest.Digest}}' | tr -d '"')"
cosign verify \
  --certificate-identity-regexp '^https://github.com/clow99/ReaperCI/.github/workflows/release.yml@refs/tags/v0\.1\.0$' \
  --certificate-oidc-issuer https://token.actions.githubusercontent.com \
  "ghcr.io/clow99/reaperci@${digest}"

Pre-release tags such as v0.1.0-rc.1 never move latest. Stable releases do publish latest, but production installation and upgrade commands must still use the immutable semantic version or digest.

When the canonical GitHub repository becomes public at GA, the same workflow also records GitHub artifact attestations. Verify them with gh attestation verify <file> --repo clow99/ReaperCI. Private beta releases use the signed checksum bundle as the downloadable-asset trust root because GitHub artifact attestations for private repositories require an eligible Enterprise plan.