feat: add an attestations.json substitutable template (#239)

Author: kormide

dist/cli/index.js

@@ -8,6 +8,7 @@ bats_test(
     ],
     data = [
         "//e2e/fixtures",
+        "//e2e/fixtures:attestations",
         "//e2e/fixtures:versioned",
         "//e2e/fixtures:zip",
         "//src/application/cli:bundle",

e2e/cli/BUILD.bazel

@@ -21,6 +21,24 @@ swap_source_url() {
     mv "${TEST_TMPDIR}/tmp" "${SRC}"
 }
 
+swap_attestation_url() {
+    local SRC=$1
+    local FIELD=$2
+    local URL=$3
+
+    cat "${SRC}" | jq ".attestations[\"${FIELD}\"].url = \"${URL}\"" > "${TEST_TMPDIR}/tmp"
+    mv "${TEST_TMPDIR}/tmp" "${SRC}"
+}
+
+mock_attestation() {
+    local NAME=$1
+
+    FILE="$(mktemp -p "${TEST_TMPDIR}" --directory)/${NAME}"
+    jq --null-input "{foobar:\"${NAME}\"}" > "${FILE}"
+
+    echo -n "${FILE}"
+}
+
 @test 'no_args_shows_help' {
     run "${NODE_BIN}" "${CLI_BIN}"
 
@@ -82,6 +100,31 @@ swap_source_url() {
     assert_file_exists "${ENTRY_PATH}/1.0.0/presubmit.yml"
 }
 
+@test 'create entry with attestations' {
+    FIXTURE="e2e/fixtures/attestations"
+    cp -R "${FIXTURE}" "${TEST_TMPDIR}/"
+    FIXTURE="${TEST_TMPDIR}/$(basename "${FIXTURE}")"
+    TEMPLATES_DIR="${FIXTURE}/.bcr"
+    RELEASE_ARCHIVE="e2e/fixtures/attestations-attestations-1.0.0.tar"
+
+    SOURCE_ATTESTATION=$(mock_attestation "source.json.intoto.jsonl")
+    MODULE_ATTESTATION=$(mock_attestation "MODULE.bazel.intoto.jsonl")
+    ARCHIVE_ATTESTATION=$(mock_attestation "attestations-v1.0.0.tar.gz.intoto.jsonl")
+
+    swap_source_url "${TEMPLATES_DIR}/source.template.json" "file://$(realpath "${RELEASE_ARCHIVE}")"
+    swap_attestation_url "${TEMPLATES_DIR}/attestations.template.json" "source.json" "file://$(realpath "${SOURCE_ATTESTATION}")"
+    swap_attestation_url "${TEMPLATES_DIR}/attestations.template.json" "MODULE.bazel" "file://$(realpath "${MODULE_ATTESTATION}")"
+    swap_attestation_url "${TEMPLATES_DIR}/attestations.template.json" "{REPO}-{TAG}.tar.gz.intoto.jsonl" "file://$(realpath "${ARCHIVE_ATTESTATION}")"
+
+    run "${NODE_BIN}" "${CLI_BIN}" create-entry --local-registry "${REGISTRY_PATH}" --templates-dir "${TEMPLATES_DIR}" --module-version 1.0.0 --github-repository owner/attestations --tag v1.0.0
+
+    assert_success
+
+    ENTRY_PATH="${REGISTRY_PATH}/modules/attestations"
+
+    assert_file_exists "${ENTRY_PATH}/1.0.0/attestations.json"
+}
+
 @test 'missing OWNER/REPO vars' {
     FIXTURE="e2e/fixtures/versioned"
     cp -R "${FIXTURE}" "${TEST_TMPDIR}/"

e2e/cli/e2e.bats

@@ -1,6 +1,12 @@
 load("@aspect_bazel_lib//lib:copy_to_bin.bzl", "copy_to_bin")
 load(":fixture.bzl", "fixture_archive")
 
+fixture_archive(
+    name = "attestations",
+    archive = "tar",
+    prefix = "attestations-1.0.0",
+)
+
 fixture_archive(
     name = "empty-prefix",
     archive = "tar",

e2e/fixtures/BUILD.bazel

@@ -0,0 +1,17 @@
+{
+  "types": ["https://slsa.dev/provenance/v1"],
+  "attestations": {
+    "source.json": {
+      "url": "https://github.com/{OWNER}/{REPO}/releases/download/{TAG}/source.json.intoto.jsonl",
+      "integrity": ""
+    },
+    "MODULE.bazel": {
+      "url": "https://github.com/{OWNER}/{REPO}/releases/download/{TAG}/MODULE.bazel.intoto.jsonl",
+      "integrity": ""
+    },
+    "{REPO}-{TAG}.tar.gz.intoto.jsonl": {
+      "url": "https://github.com/{OWNER}/{REPO}/releases/download/{TAG}/{REPO}-{TAG}.tar.gz.intoto.jsonl",
+      "integrity": ""
+    }
+  }
+}

e2e/fixtures/attestations/.bcr/attestations.template.json

@@ -0,0 +1,13 @@
+{
+  "homepage": "https://github.com/testorg/attestations",
+  "maintainers": [
+    {
+      "name": "Foo McBar",
+      "email": "[email protected]",
+      "github": "foobar"
+    }
+  ],
+  "repository": ["github:testorg/attestations"],
+  "versions": [],
+  "yanked_versions": {}
+}

e2e/fixtures/attestations/.bcr/metadata.template.json

@@ -0,0 +1,12 @@
+bcr_test_module:
+  module_path: "e2e/bzlmod"
+  matrix:
+    platform: ["debian10", "macos", "ubuntu2004", "windows"]
+    bazel: [6.x, 7.x]
+  tasks:
+    run_tests:
+      name: "Run test module"
+      platform: ${{ platform }}
+      bazel: ${{ bazel }}
+      test_targets:
+        - "//..."

e2e/fixtures/attestations/.bcr/presubmit.yml

@@ -0,0 +1,5 @@
+{
+  "integrity": "",
+  "strip_prefix": "{REPO}-{VERSION}",
+  "url": "https://github.com/{OWNER}/{REPO}/releases/download/{TAG}/{REPO}-{TAG}.tar.gz"
+}

e2e/fixtures/attestations/.bcr/source.template.json

@@ -0,0 +1,4 @@
+module(
+    name = "attestations",
+    version = "1.0.0",
+)

e2e/fixtures/attestations/MODULE.bazel

@@ -0,0 +1 @@
+Ruleset repo with `attestations.template.json`.