fix: add last-release-sha to Release Please config

[Aureliolo]

Summary

• Add last-release-sha pointing to the v0.2.5 tag commit to Release Please config
• Fixes the recurring bogus "release 0.2.0" PR that keeps appearing after every release

Context

The v0.2.4 recovery (manual version reset) corrupted Release Please's commit history walk, causing it to compute versions from the beginning of the repo instead of from the last tag. The last-release-sha field is a one-time anchor that tells Release Please where to start looking.

Test plan

• After merge, Release Please either creates no PR (no new releasable commits) or creates a correct v0.2.6 PR
• The "release 0.2.0" PR does not reappear

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical issue in the release automation process by correcting the behavior of Release Please. Following a manual version reset, Release Please was incorrectly computing versions from the repository's beginning, leading to spurious release proposals. By anchoring Release Please to a specific historical commit, this change ensures accurate versioning and prevents the creation of erroneous release pull requests, thereby streamlining the release workflow.

Highlights

• Release Please Configuration: Added the "last-release-sha" field to the Release Please configuration, pointing to the v0.2.5 tag commit.
• Release Automation Fix: Resolved the issue of recurring bogus "release 0.2.0" pull requests by providing Release Please with a specific commit SHA to begin its history walk.

Changelog

• .github/release-please-config.json
  • Configured Release Please to use a specific last release SHA to correct versioning behavior.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/cli.yml

Activity

• No activity recorded yet for this pull request.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: acc59412-d7c6-4374-9606-d1798c442306

📥 Commits

Reviewing files that changed from the base of the PR and between 24a0d7a and 1106dc8.

📒 Files selected for processing (2)

• .github/release-please-config.json
• .github/workflows/cli.yml

📜 Recent review details

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Analyze (python)

🧰 Additional context used

📓 Path-based instructions (1)

.github/workflows/cli.yml

📄 CodeRabbit inference engine (CLAUDE.md)

CLI CI (.github/workflows/cli.yml) enforces golangci-lint, go vet, go test -race, govulncheck, fuzz testing (main-only, 30s/target, continue-on-error). GoReleaser on v* tags with cosign keyless signing + SLSA L3 provenance + install instructions + checksum table in release notes.

Files:

• .github/workflows/cli.yml

🧠 Learnings (9)

📓 Common learnings

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:36:58.934Z
Learning: Applies to .github/workflows/release.yml : Release (`.github/workflows/release.yml`) — Release Please auto-creates release PR on every main push, merging PR creates git tag (vX.Y.Z) + draft GitHub Release with changelog. Uses RELEASE_PLEASE_TOKEN secret. Config in `.github/release-please-config.json` and `.github/.release-please-manifest.json`. Auto-updates BSL Change Date in LICENSE to 3 years ahead.

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:36:58.934Z
Learning: Applies to .github/workflows/finalize-release.yml : Finalize Release (`.github/workflows/finalize-release.yml`) — publishes draft releases on Docker + CLI workflow completion. Verifies both succeeded, extracts CLI checksums/verification and container data, assembles combined Verification section in release notes. Handles TOCTOU races. Immutable releases enabled.

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:36:58.934Z
Learning: CLI must generate SLSA L3 provenance attestations for binaries and checksums file via `actions/attest-build-provenance`.

📚 Learning: 2026-03-15T18:36:58.934Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:36:58.934Z
Learning: Applies to .github/workflows/release.yml : Release (`.github/workflows/release.yml`) — Release Please auto-creates release PR on every main push, merging PR creates git tag (vX.Y.Z) + draft GitHub Release with changelog. Uses RELEASE_PLEASE_TOKEN secret. Config in `.github/release-please-config.json` and `.github/.release-please-manifest.json`. Auto-updates BSL Change Date in LICENSE to 3 years ahead.

Applied to files:

• .github/release-please-config.json

📚 Learning: 2026-03-15T18:36:58.934Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:36:58.934Z
Learning: Applies to .github/workflows/finalize-release.yml : Finalize Release (`.github/workflows/finalize-release.yml`) — publishes draft releases on Docker + CLI workflow completion. Verifies both succeeded, extracts CLI checksums/verification and container data, assembles combined Verification section in release notes. Handles TOCTOU races. Immutable releases enabled.

Applied to files:

• .github/workflows/cli.yml

📚 Learning: 2026-03-15T18:36:58.934Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:36:58.934Z
Learning: Applies to .github/workflows/cli.yml : CLI CI (`.github/workflows/cli.yml`) enforces golangci-lint, go vet, go test -race, govulncheck, fuzz testing (main-only, 30s/target, continue-on-error). GoReleaser on v* tags with cosign keyless signing + SLSA L3 provenance + install instructions + checksum table in release notes.

Applied to files:

• .github/workflows/cli.yml

📚 Learning: 2026-03-15T18:36:58.934Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:36:58.934Z
Learning: CLI must generate SLSA L3 provenance attestations for binaries and checksums file via `actions/attest-build-provenance`.

Applied to files:

• .github/workflows/cli.yml

📚 Learning: 2026-03-15T18:36:58.934Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:36:58.934Z
Learning: CLI binary must be signed with cosign (keyless signing of `checksums.txt` with `.sig` + `.pem` artifacts).

Applied to files:

• .github/workflows/cli.yml

📚 Learning: 2026-03-15T11:48:14.867Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T11:48:14.867Z
Learning: Applies to .github/workflows/docker.yml : CI Docker: build → scan → push to GHCR + cosign sign + SLSA L3 provenance via attest-build-provenance (images only pushed after Trivy/Grype scans pass).

Applied to files:

• .github/workflows/cli.yml

📚 Learning: 2026-03-15T18:36:58.934Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:36:58.934Z
Learning: Applies to cli/.goreleaser.yml : CLI uses GoReleaser (`.goreleaser.yml`) for cross-compilation (linux/darwin/windows × amd64/arm64) and release asset generation.

Applied to files:

• .github/workflows/cli.yml

📚 Learning: 2026-03-15T18:36:58.934Z

Learnt from: CR
Repo: Aureliolo/synthorg PR: 0
File: CLAUDE.md:0-0
Timestamp: 2026-03-15T18:36:58.934Z
Learning: Applies to .github/workflows/scorecard.yml : OSSF Scorecard (`.github/workflows/scorecard.yml`) — supply chain maturity scoring on push to main + weekly. SARIF upload to Security tab. Publish results for OpenSSF ecosystem.

Applied to files:

• .github/workflows/cli.yml

🔇 Additional comments (2)

.github/release-please-config.json (1)

8-8: Good baseline anchor for Release Please history.

This is an appropriate fix to stop Release Please from recomputing versions from the repository start after the prior reset event.

.github/workflows/cli.yml (1)

339-346: DSSE extraction + dual asset upload is correctly implemented.

Using jq -e here is a solid fail-fast guard, and publishing both .sigstore.json and .intoto.jsonl improves downstream provenance compatibility without weakening existing verification flows.

Based on learnings: CLI must generate SLSA L3 provenance attestations for binaries and checksums file via actions/attest-build-provenance.

---

📝 Walkthrough

Summary by CodeRabbit

• Chores
  • Enhanced CLI release workflow to extract and distribute additional attestation verification files alongside release artifacts.
  • Updated release configuration tracking for improved state management.

Walkthrough

The changes add a last-release-sha tracking entry to the release configuration and modify the CLI release workflow to extract the DSSE envelope from the attestation bundle and include the extracted data as a release asset.

Changes

Cohort / File(s)	Summary
Release Configuration .github/release-please-config.json	Added "last-release-sha" entry with a specific commit SHA for release state tracking.
CLI Release Workflow .github/workflows/cli.yml	Extract DSSE envelope from attestation bundle using jq and upload it as cli/dist/checksums.txt.intoto.jsonl alongside the sigstore.json release asset.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• fix: export .intoto.jsonl provenance for OpenSSF Scorecard #456: Both PRs extract the DSSE envelope into cli/dist/checksums.txt.intoto.jsonl and upload it as a release asset in the CLI workflow.
• ci: add SLSA L3 provenance for CLI binaries and container images #423: Related changes to CLI release workflow for SLSA provenance and attestation artifact handling.
• fix: replace slsa-github-generator with attest-build-provenance, fix DAST #424: Both PRs modify attestation/provenance extraction and upload logic in the CLI release workflow.

Suggested labels

autorelease: tagged

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly describes the main change: adding 'last-release-sha' to the Release Please configuration, which aligns with the primary fix in the PR.
Description check	✅ Passed	The description is well-related to the changeset, explaining the context and rationale for adding 'last-release-sha' to fix the recurring 'release 0.2.0' PR issue.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/release-please-baseline

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch fix/release-please-baseline

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request adds last-release-sha to the Release Please configuration to fix an issue with incorrect release versioning. The change is correct and well-explained. I have one suggestion regarding the long-term maintainability of this configuration file.

[gemini-code-assist]

As noted in the pull request description and the release-please documentation, last-release-sha is a one-time anchor. To maintain a clean configuration and prevent potential confusion for future maintainers, it's advisable to remove this line after the next release has been successfully created. Please consider creating a follow-up ticket to track this cleanup task.

[Aureliolo]

Wrong fix. The real solution is force-tag-creation: true in Release Please config.