Attestations.

Author: ncruces

.github/workflows/repro.sh

@@ -18,6 +18,13 @@ mkdir -p tools/
 [ -d "tools/binaryen-version"* ] || curl -#L "$BINARYEN" | tar xzC tools &
 wait
 
-sqlite3/download.sh   # Download SQLite
-embed/build.sh        # Build Wasm
-git diff --exit-code  # Check diffs
+# Download and build SQLite
+sqlite3/download.sh
+embed/build.sh
+
+# Download and build sqlite-createtable-parser
+util/vtabutil/parse/download.sh
+util/vtabutil/parse/build.sh
+
+# Check diffs
+git diff --exit-code 

.github/workflows/repro.yml

@@ -3,6 +3,11 @@ name: Reproducible build
 on:
   workflow_dispatch:
 
+permissions:
+  contents: read
+  id-token: write
+  attestations: write
+
 jobs:
   build:
     strategy:
@@ -17,3 +22,10 @@ jobs:
 
     - name: Build
       run: .github/workflows/repro.sh
+
+    - uses: actions/attest-build-provenance@v1
+      if: matrix.os == 'ubuntu-latest'
+      with:
+        subject-path: |
+          embed/sqlite3.wasm
+          util/vtabutil/parse/sql3parse_table.wasm

embed/README.md

@@ -24,4 +24,7 @@ See the [configuration options](../sqlite3/sqlite_cfg.h),
 and [patches](../sqlite3) applied.
 
 Built using [`wasi-sdk`](https://github.com/WebAssembly/wasi-sdk),
-and [`binaryen`](https://github.com/WebAssembly/binaryen).
+and [`binaryen`](https://github.com/WebAssembly/binaryen).
+
+The build is easily reproducible, and verifiable, using
+[Artifact Attestations](https://github.com/ncruces/go-sqlite3/attestations).