feat: attest generated bcr files (#237)

Author: kormide

.github/workflows/action-e2e.yaml

@@ -63,3 +63,36 @@ jobs:
           local-registry: bazel-central-registry
       - name: Test repository substitution
         run: this/e2e/action/test-github-repository-default-substitution.sh
+  test-attestations:
+    # Test that attestations are created when `attest` is set to true
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          path: this
+      - name: Setup test fixture
+        run: this/e2e/action/setup-test-fixture.sh versioned versioned-1.0.0
+      - name: Create registry
+        run: |
+          mkdir -p bazel-central-registry/modules
+          cd bazel-central-registry
+          git init
+      - name: Create entry
+        uses: ./this
+        with:
+          attest: true
+          attestations-dest: attestations
+          tag: v1.0.0
+          module-version: 1.0.0
+          github-repository: foobar/versioned
+          templates-dir: this/e2e/fixtures/versioned/.bcr
+          local-registry: bazel-central-registry
+      - name: Test attestations exist
+        run: |
+          set -o errexit -o nounset -o pipefail -o xtrace
+
+          [ -f attestations/MODULE.bazel.intoto.jsonl ]
+          [ -f attestations/source.json.intoto.jsonl ]

MODULE.bazel

@@ -24,6 +24,8 @@ git_override(
 
 bazel_lib = use_extension("@aspect_bazel_lib//lib:extensions.bzl", "toolchains")
 bazel_lib.bats()
+bazel_lib.jq()
+use_repo(bazel_lib, "jq_toolchains")
 
 multitool = use_extension("@rules_multitool//multitool:extension.bzl", "multitool")
 multitool.hub(lockfile = "//tools:tools.lock.json")

action.yaml

@@ -1,6 +1,18 @@
 name: 'Publish to BCR'
 description: 'Create a new module version entry in a Bazel registry'
 inputs:
+  attest:
+    description: 'Whether to generate attestations for files created by Publish to BCR.'
+    required: false
+    default: false
+  attestations-dest:
+    description: 'Directory to output attestations to. Attestations are not included in the entry.'
+    required: false
+    default: ''
+  gh-token:
+    description: 'Token for persisting attestations to the repo. This must be a token with id-token and attestation write permissions.'
+    required: false
+    default: ${{ github.token }}
   github-repository:
     description: 'GitHub repository for the module being published. Used to substititue the OWNER and REPO vars into the source template. Defaults to the repository this action runs in.'
     required: false

dist/action/index.js

@@ -11,10 +11,15 @@ bats_test(
         "//e2e/fixtures:versioned",
         "//e2e/fixtures:zip",
         "//src/application/cli:bundle",
+        "@jq_toolchains//:resolved_toolchain",
         "@nodejs_toolchains//:resolved_toolchain",
     ],
     env = {
         "CLI_BIN": "$(rootpath //src/application/cli:bundle)",
+        "JQ_BIN": "$(JQ_BIN)",
         "NODE_BIN": "$(rootpath @nodejs_toolchains//:resolved_toolchain)",
     },
+    toolchains = [
+        "@jq_toolchains//:resolved_toolchain",
+    ],
 )

dist/cli/index.js

@@ -5,10 +5,12 @@ bats_load_library "bats-support"
 setup() {
     export REGISTRY_PATH="${TEST_TMPDIR}/bazel-central-registry"
     mkdir -p "${REGISTRY_PATH}/modules"
+    
+    export jq="../${JQ_BIN#"external/"}"
 }
 
 teardown() {
-    rm -rf "${TEST_TMPDIR}/*"
+    rm -rf "${TEST_TMPDIR}"/*
 }
 
 swap_source_url() {
@@ -94,4 +96,22 @@ swap_source_url() {
     assert_failure
 
     assert_output --partial 'Did you forget to pass --github-repository to substitute the OWNER and REPO variables?'
+}
+
+@test 'outputs json blob with info about entry to stdout' {
+    FIXTURE="e2e/fixtures/versioned"
+    cp -R "${FIXTURE}" "${TEST_TMPDIR}/"
+    FIXTURE="${TEST_TMPDIR}/$(basename "${FIXTURE}")"
+    TEMPLATES_DIR="${FIXTURE}/.bcr"
+    RELEASE_ARCHIVE="e2e/fixtures/versioned-versioned-1.0.0.tar"
+
+    swap_source_url "${TEMPLATES_DIR}/source.template.json" "file://$(realpath "${RELEASE_ARCHIVE}")"
+
+    STDOUT=$("${NODE_BIN}" "${CLI_BIN}" create-entry --local-registry "${REGISTRY_PATH}" --templates-dir "${TEMPLATES_DIR}" --module-version 1.0.0 --github-repository owner/versioned --tag v1.0.0)
+    ENTRY_PATH="${REGISTRY_PATH}/modules/versioned/1.0.0"
+
+    ACTUAL=$("${jq}" <<< ${STDOUT} .)
+    EXPECTED=$("${jq}" --null-input "{moduleName: \"versioned\", entryPath: \"${ENTRY_PATH}\"}")
+
+    assert_equal "${EXPECTED}" "${ACTUAL}"
 }

e2e/cli/BUILD.bazel

@@ -15,6 +15,7 @@
     "gcp-build": ""
   },
   "dependencies": {
+    "@actions/attest": "^1.5.0",
     "@actions/core": "^1.11.1",
     "@actions/exec": "^1.1.1",
     "@google-cloud/functions-framework": "^3.1.2",
@@ -32,6 +33,7 @@
     "axios-retry": "^4.0.0",
     "chalk": "^4.1.2",
     "diff": "^5.1.0",
+    "encoding": "0.1.13",
     "exponential-backoff": "3.1.1",
     "extract-zip": "^2.0.1",
     "gcp-metadata": "^6.0.0",
@@ -84,6 +86,11 @@
   "pnpm": {
     "onlyBuiltDependencies": [],
     "packageExtensions": {
+      "@actions/github": {
+        "dependencies": {
+          "undici": "*"
+        }
+      },
       "@google-cloud/secret-manager": {
         "dependencies": {
           "long": "5.2.3"
@@ -98,6 +105,11 @@
         "dependencies": {
           "debug": "*"
         }
+      },
+      "node-fetch": {
+        "dependencies": {
+          "encoding": "*"
+        }
       }
     }
   }