From 2bbd6feb365ee2198310229d44c2b5ab168a4c52 Mon Sep 17 00:00:00 2001
From: "Jose I. Paris" <jiparis@chainloop.dev>
Date: Mon, 2 Mar 2026 17:30:28 +0100
Subject: [PATCH 1/3] fix(release): promote project version after attestation
 push

Move the "Promote Chainloop Project Version" step from the release job
to the finish_attestation job, ensuring it runs after chainloop
attestation push. This prevents policy evaluations during push from
referencing the renamed version instead of the original one.

Closes #2805

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
---
 .github/workflows/release.yaml | 23 +++++++++++++----------
 1 file changed, 13 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 6a1447e91..42d679d01 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -57,6 +57,7 @@ jobs:
       GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     outputs:
       attestation_hash: ${{ steps.attest_goreleaser.outputs.attestation_hash }}
+      current_version: ${{ steps.project_version.outputs.current_version }}
 
     steps:
       - name: Install Cosign
@@ -171,17 +172,11 @@ jobs:
           gh release download ${{ github.ref_name }} -A tar.gz -O /tmp/source-code.tar.gz
           chainloop attestation add --name source-code --value /tmp/source-code.tar.gz --kind ARTIFACT --attestation-id ${{ env.ATTESTATION_ID }}
 
-      - name: Promote Chainloop Project Version
-        env:
-          CHAINLOOP_PROJECT_NAME: "chainloop"
-          CHAINLOOP_TOKEN: ${{ secrets.CHAINLOOP_TOKEN }}
+      - name: Read current project version
+        id: project_version
         run: |
-          current_version="$(cat .chainloop.yml | awk '/^projectVersion:/ {print $2}')"
-          # Rename the existing pre-release into the actual release name
-          echo "current_version=$current_version"
-          echo "target_version=${{ github.ref_name }}"
-          chainloop org describe
-          chainloop project version update --project ${CHAINLOOP_PROJECT_NAME} --name $current_version --new-name ${{ github.ref_name }} || true
+          current_version="$(awk '/^projectVersion:/ {print $2}' .chainloop.yml)"
+          echo "current_version=$current_version" >> $GITHUB_OUTPUT
 
       - name: Bump Chart and Dagger Version
         run: .github/workflows/utils/bump-chart-and-dagger-version.sh deployment/chainloop extras/dagger ${{ github.ref_name }}
@@ -230,6 +225,14 @@ jobs:
             exit 1
           fi
 
+      - name: Promote Chainloop Project Version
+        if: ${{ success() }}
+        run: |
+          current_version="${{ needs.release.outputs.current_version }}"
+          echo "current_version=$current_version"
+          echo "target_version=${{ github.ref_name }}"
+          chainloop project version update --project chainloop --name $current_version --new-name ${{ github.ref_name }} || true
+
       - name: Mark attestation as failed
         if: ${{ failure() }}
         run: |

From c2cc9129e977d1f7cd525a5db60c7f31e18fadb0 Mon Sep 17 00:00:00 2001
From: "Jose I. Paris" <jiparis@chainloop.dev>
Date: Mon, 2 Mar 2026 17:36:58 +0100
Subject: [PATCH 2/3] fix(release): use env vars to avoid template injection in
 promote step

Pass needs.release.outputs.current_version and github.ref_name through
env variables instead of interpolating them directly in the run block.

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
---
 .github/workflows/release.yaml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
index 42d679d01..c2b6e7629 100644
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -227,11 +227,13 @@ jobs:
 
       - name: Promote Chainloop Project Version
         if: ${{ success() }}
+        env:
+          CURRENT_VERSION: ${{ needs.release.outputs.current_version }}
+          TARGET_VERSION: ${{ github.ref_name }}
         run: |
-          current_version="${{ needs.release.outputs.current_version }}"
-          echo "current_version=$current_version"
-          echo "target_version=${{ github.ref_name }}"
-          chainloop project version update --project chainloop --name $current_version --new-name ${{ github.ref_name }} || true
+          echo "current_version=$CURRENT_VERSION"
+          echo "target_version=$TARGET_VERSION"
+          chainloop project version update --project chainloop --name "$CURRENT_VERSION" --new-name "$TARGET_VERSION" || true
 
       - name: Mark attestation as failed
         if: ${{ failure() }}

From 1cb207de13dafe6bdec65385ce8b06d9bed13d01 Mon Sep 17 00:00:00 2001
From: "Jose I. Paris" <jiparis@chainloop.dev>
Date: Mon, 2 Mar 2026 18:07:46 +0100
Subject: [PATCH 3/3] remove att phase from contract

Signed-off-by: Jose I. Paris <jiparis@chainloop.dev>
---
 .github/workflows/contracts/chainloop-vault-release.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/contracts/chainloop-vault-release.yaml b/.github/workflows/contracts/chainloop-vault-release.yaml
index 961ab4784..63cfd1c91 100644
--- a/.github/workflows/contracts/chainloop-vault-release.yaml
+++ b/.github/workflows/contracts/chainloop-vault-release.yaml
@@ -11,8 +11,6 @@ spec:
         with:
           requirement_name: sbom-compliance
         gate: true
-        attestation_phases:
-          - INIT
       - ref: source-commit
         with:
           check_signature: yes