feat(cli/action): publish multiple module entries (#247)

Author: kormide

.github/workflows/action-e2e.yaml

@@ -44,8 +44,8 @@ jobs:
         run: |
           set -o errexit -o nounset -o pipefail -o xtrace
 
-          if [[ "${{ steps.create_entry.outputs.module-name }}" != "versioned" ]]; then
-            echo "Expected output module-name to be 'versioned' but it was '${{ steps.create_entry.outputs.module-name }}'"
+          if [[ "${{ steps.create_entry.outputs.module-names }}" != "versioned" ]]; then
+            echo "Expected output module-names to be 'versioned' but it was '${{ steps.create_entry.outputs.module-name }}'"
             exit 1
           fi
   test-github-repository-default:
@@ -105,3 +105,38 @@ jobs:
 
           [ -f attestations/MODULE.bazel.intoto.jsonl ]
           [ -f attestations/source.json.intoto.jsonl ]
+  test-multi-module-attestations:
+    # Test that attestation files are given a prefixed name when multiple modules are published
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      attestations: write
+    steps:
+      - uses: actions/checkout@v2
+        with:
+          path: this
+      - name: Setup test fixture
+        run: this/e2e/action/setup-test-fixture.sh multi-module multi-module-1.0.0
+      - name: Create registry
+        run: |
+          mkdir -p bazel-central-registry/modules
+          cd bazel-central-registry
+          git init
+      - name: Create entry
+        uses: ./this
+        with:
+          attest: true
+          attestations-dest: attestations
+          tag: v1.0.0
+          module-version: 1.0.0
+          github-repository: testorg/multi-module
+          templates-dir: this/e2e/fixtures/multi-module/.bcr
+          local-registry: bazel-central-registry
+      - name: Test attestations exist
+        run: |-
+          set -o errexit -o nounset -o pipefail -o xtrace
+
+          [ -f attestations/module.MODULE.bazel.intoto.jsonl ]
+          [ -f attestations/module.source.json.intoto.jsonl ]
+          [ -f attestations/submodule.MODULE.bazel.intoto.jsonl ]
+          [ -f attestations/submodule.source.json.intoto.jsonl ]

dist/action/index.js

@@ -6,11 +6,20 @@ STRIP_PREFIX="${2}"
 
 SCRIPT_DIR=$( cd -- "$( dirname -- "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )
 ACTION_REPO_PATH="${SCRIPT_DIR}/../../"
+FIXTURE_PATH="${ACTION_REPO_PATH}/e2e/fixtures/${FIXTURE}"
 
 # Create a release archive from a fixture
-tar -czvf archive.tar.gz -C "${ACTION_REPO_PATH}/e2e/fixtures/${FIXTURE}" --transform "s,^./,${STRIP_PREFIX}/," --sort=name --owner=root:0 --group=root:0 --mtime="UTC 1980-02-01" .
+tar -czvf archive.tar.gz -C "${FIXTURE_PATH}" --transform "s,^./,${STRIP_PREFIX}/," --sort=name --owner=root:0 --group=root:0 --mtime="UTC 1980-02-01" .
+
+if [ -f "${FIXTURE_PATH}/.bcr/config.yml" ]; then
+    readarray -t MODULE_ROOTS < <(cat "${FIXTURE_PATH}/.bcr/config.yml" | yq -r '.moduleRoots.[]')
+else
+    MODULE_ROOTS=(".")
+fi
 
 # Substitute the archive url to a local file path
-cat "${ACTION_REPO_PATH}/e2e/fixtures/${FIXTURE}/.bcr/source.template.json" | jq ".url = \"file://$(realpath archive.tar.gz)\"" > "/tmp/source.template.json"
-mv /tmp/source.template.json "${ACTION_REPO_PATH}/e2e/fixtures/${FIXTURE}/.bcr/source.template.json"
-cat "${ACTION_REPO_PATH}/e2e/fixtures/${FIXTURE}/.bcr/source.template.json"
+for MODULE_ROOT in "${MODULE_ROOTS[@]}"; do
+    cat "${FIXTURE_PATH}/.bcr/${MODULE_ROOT}/source.template.json" | jq ".url = \"file://$(realpath archive.tar.gz)\"" > "/tmp/source.template.json"
+    mv /tmp/source.template.json "${FIXTURE_PATH}/.bcr/${MODULE_ROOT}/source.template.json"
+    cat "${FIXTURE_PATH}/.bcr/${MODULE_ROOT}/source.template.json"
+done

dist/cli/index.js

@@ -9,6 +9,7 @@ bats_test(
     data = [
         "//e2e/fixtures",
         "//e2e/fixtures:attestations",
+        "//e2e/fixtures:multi-module",
         "//e2e/fixtures:versioned",
         "//e2e/fixtures:zip",
         "//src/application/cli:bundle",

e2e/action/setup-test-fixture.sh

@@ -100,6 +100,35 @@ mock_attestation() {
     assert_file_exists "${ENTRY_PATH}/1.0.0/presubmit.yml"
 }
 
+@test 'multi-module entry' {
+    FIXTURE="e2e/fixtures/multi-module"
+    cp -R "${FIXTURE}" "${TEST_TMPDIR}/"
+    FIXTURE="${TEST_TMPDIR}/$(basename "${FIXTURE}")"
+    TEMPLATES_DIR="${FIXTURE}/.bcr"
+    RELEASE_ARCHIVE="e2e/fixtures/multi-module-multi-module-1.0.0.tar.gz"
+
+    swap_source_url "${TEMPLATES_DIR}/source.template.json" "file://$(realpath "${RELEASE_ARCHIVE}")"
+    swap_source_url "${TEMPLATES_DIR}/submodule/source.template.json" "file://$(realpath "${RELEASE_ARCHIVE}")"
+
+    run "${NODE_BIN}" "${CLI_BIN}" create-entry --local-registry "${REGISTRY_PATH}" --templates-dir "${TEMPLATES_DIR}" --module-version 1.0.0 --github-repository testorg/multi-module --tag v1.0.0
+
+    assert_success
+
+    ENTRY_PATH="${REGISTRY_PATH}/modules/module"
+
+    assert_file_exists "${ENTRY_PATH}/metadata.json"
+    assert_file_exists "${ENTRY_PATH}/1.0.0/MODULE.bazel"
+    assert_file_exists "${ENTRY_PATH}/1.0.0/source.json"
+    assert_file_exists "${ENTRY_PATH}/1.0.0/presubmit.yml"
+
+    ENTRY_PATH="${REGISTRY_PATH}/modules/submodule"
+
+    assert_file_exists "${ENTRY_PATH}/metadata.json"
+    assert_file_exists "${ENTRY_PATH}/1.0.0/MODULE.bazel"
+    assert_file_exists "${ENTRY_PATH}/1.0.0/source.json"
+    assert_file_exists "${ENTRY_PATH}/1.0.0/presubmit.yml"
+}
+
 @test 'create entry with attestations' {
     FIXTURE="e2e/fixtures/attestations"
     cp -R "${FIXTURE}" "${TEST_TMPDIR}/"
@@ -154,7 +183,7 @@ mock_attestation() {
     ENTRY_PATH="${REGISTRY_PATH}/modules/versioned/1.0.0"
 
     ACTUAL=$("${jq}" <<< ${STDOUT} .)
-    EXPECTED=$("${jq}" --null-input "{moduleName: \"versioned\", entryPath: \"${ENTRY_PATH}\"}")
+    EXPECTED=$("${jq}" --null-input "{\"modules\": [{\"name\": \"versioned\", entryPath: \"${ENTRY_PATH}\"}]}")
 
     assert_equal "${EXPECTED}" "${ACTUAL}"
 }

e2e/cli/BUILD.bazel

@@ -1 +1 @@
-Ruleset repo that has multiple `moduleRoots` configured.
+Ruleset repo that has multiple `moduleRoots` configured and a shared release archive.

e2e/cli/e2e.bats

@@ -169,7 +169,7 @@ bcr_test_module:
 modules/module/1.0.0/source.json
 ----------------------------------------------------
 {
-    "integrity": "sha256-GIERNCByLpef3PWA31F/50ECIeCXV3jcieI/pv1uovg=",
+    "integrity": "sha256-futnmCx8nl4tIw5yGYoH71w4K3fUet2eXjb/ek4cIKU=",
     "strip_prefix": "multi-module-1.0.0",
     "url": "https://github.com/testorg/multi-module/releases/download/v1.0.0.tar.gz"
 }
@@ -223,7 +223,7 @@ bcr_test_module:
 modules/submodule/1.0.0/source.json
 ----------------------------------------------------
 {
-    "integrity": "sha256-GIERNCByLpef3PWA31F/50ECIeCXV3jcieI/pv1uovg=",
+    "integrity": "sha256-futnmCx8nl4tIw5yGYoH71w4K3fUet2eXjb/ek4cIKU=",
     "strip_prefix": "multi-module-1.0.0/submodule",
     "url": "https://github.com/testorg/multi-module/releases/download/v1.0.0.tar.gz"
 }

e2e/fixtures/multi-module/README.md

@@ -18,18 +18,23 @@ export async function attest(
     if (!inputs.ghToken) {
       throw new Error('gh-token must be set to produce attestations');
     }
-    await attestEntryFiles(
-      cliOutput.entryPath,
-      inputs.attestationsDest,
-      inputs.ghToken
-    );
+
+    for (const module of cliOutput.modules) {
+      await attestEntryFiles(
+        module.entryPath,
+        inputs.attestationsDest,
+        inputs.ghToken,
+        cliOutput.modules.length > 1 ? module.name : null
+      );
+    }
   }
 }
 
 async function attestEntryFiles(
   entryPath: string,
   attestationsDest: string,
-  ghToken: string
+  ghToken: string,
+  prefix: string | null
 ) {
   if (!fs.existsSync(attestationsDest)) {
     fs.mkdirSync(attestationsDest, { recursive: true });
@@ -39,7 +44,10 @@ async function attestEntryFiles(
     await attestArtifact(
       artifact,
       path.join(entryPath, artifact),
-      attestationsDest,
+      path.join(
+        attestationsDest,
+        `${prefix !== null ? `${prefix}.` : ''}${artifact}.intoto.jsonl`
+      ),
       ghToken
     );
   }
@@ -69,9 +77,5 @@ async function attestArtifact(
     token: ghToken,
   });
 
-  fs.writeFileSync(
-    path.join(dest, `${artifactName}.intoto.jsonl`),
-    JSON.stringify(attestation.bundle),
-    'utf-8'
-  );
+  fs.writeFileSync(dest, JSON.stringify(attestation.bundle), 'utf-8');
 }

e2e/github-webhook/__snapshots__/e2e.spec.js.snap

@@ -67,7 +67,10 @@ async function main() {
       return;
     }
 
-    core.setOutput('module-name', cliOutput.moduleName);
+    core.setOutput(
+      'module-names',
+      cliOutput.modules.map((m) => m.name).join(',')
+    );
 
     await attest(inputs, cliOutput!);
   } catch (error) {