ci: restore Security Deep pipeline and gate publish on attestation

[27Bslash6]

Why

Security Deep (nightly ASan/TSan/MSan, Kani, fuzzing) has been red every night for weeks — and because it's schedule-only, not a required check, and had no alerting, nobody was told. Four independent root causes, plus a release pipeline that can publish wheels without provenance. For a product whose differentiator is zero-knowledge encryption, that validation gap matters more right before a paid launch.

What

security-deep.yml

• sanitizers — added RUSTUP_HOME/CARGO_HOME=/tmp (the matrix job was missing the pin that fuzzing and miri-full already have). Fixes Invalid cross-device link (os error 18) when rustup stages nightly/rust-src across the ARC runner's overlay/hostPath boundary.
• fuzzing — pinned nightly-2026-04-27 (cargo-fuzz 0.13.1's rustix won't compile on newer nightly: rustc_layout_scalar_valid_range_* reserved). Swapped the stale encryption_roundtrip target for encryption_key_derivation, which compiles against cachekit-core 0.1.1.
• kani — pinned CARGO_HOME and put its bin on PATH; cargo-kani was installed but not on PATH, so the job exited 127.
• security-deep-success — opens/updates a single tracking issue on failure. A schedule-only job that fails silently is worse than no job.

release-please.yml

• publish now needs: [..., attest]. If attestation fails, publish is skipped (re-runnable). No unattested wheels.

attestation-check.yml

• The weekly check called gh attestation list — not a real gh subcommand (only download/trusted-root/verify exist). That's why it errored in ~8s every week (the real cause behind Attestation verification failed for v0.6.1 #126, not missing attestations). Now downloads the published wheel and runs gh attestation verify.

Not in this PR

The other 9 encryption fuzz targets (encrypt_aes_gcm → encrypt_with_keys, #114) need the cachekit-core 0.1.1 API migration and local build verification — that's a separate, build-verified PR, not something to ship blind here.

Verify

Security Deep is schedule-only, so it won't run on this PR. After merge (or now, against this branch), trigger it manually to confirm green:

gh workflow run security-deep.yml --ref ci/restore-security-deep-pipeline

Refs #114, #126.

[coderabbitai]

Warning

Review limit reached

@27Bslash6, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 10 minutes and 22 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 94111afc-0bf0-4816-91fc-0d9131bb8f21

📥 Commits

Reviewing files that changed from the base of the PR and between 4d880b7 and a3a6e88.

📒 Files selected for processing (3)

• .github/workflows/attestation-check.yml
• .github/workflows/release-please.yml
• .github/workflows/security-deep.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch ci/restore-security-deep-pipeline

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

📢 Thoughts on this report? Let us know!

[27Bslash6]

Verified via dispatched run 26675421992: Kani ✅ (was 127), Sanitizers address/thread/memory ✅ (were EXDEV), Extended Fuzzing ✅ (was the rustix build failure), Miri ✅. The new failure-alert step also fired correctly and opened #138. Only Atheris remains red — clang/libFuzzer missing on the runner (see #138); that's a runner-image fix, out of scope here.

[27Bslash6]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[27Bslash6]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[27Bslash6]

@coderabbitai full review

[coderabbitai]

✅ Actions performed

Full review triggered.