Verify artifact attestations for sass-embedded prebuilt gems

ntkme · ntkme · commit 54720b213f87 · 2025-03-31T16:42:14.000-07:00
diff --git a/ext/sass/Rakefile b/ext/sass/Rakefile
@@ -45,14 +45,13 @@ rescue NotImplementedError
 end
 
 file 'dart-sass/sass' do
-  gem_install 'sass-embedded', SassConfig.gem_version, SassConfig.gem_platform do |dir|
-    mv File.absolute_path('ext/sass/dart-sass', dir), 'dart-sass'
+  gem_install 'sass-embedded', SassConfig.gem_version, SassConfig.gem_platform do |installer|
+    gh_attestation_verify(installer.gem, 'sass-contrib/sass-embedded-host-ruby')
+    mv File.absolute_path('ext/sass/dart-sass', installer.gem_dir), 'dart-sass'
   end
 rescue StandardError
   archive = fetch(SassConfig.dart_sass)
-  if SassConfig.development? && system('gh', 'auth', 'status', '--hostname', 'github.com', %i[out err] => File::NULL)
-    sh 'gh', 'attestation', 'verify', archive, '--hostname', 'github.com', '--repo', 'sass/dart-sass'
-  end
+  gh_attestation_verify(archive, 'sass/dart-sass')
   unarchive archive
   rm archive
 end
@@ -424,10 +423,16 @@ module FileUtils
       installer.install
     end
 
-    yield installer.dir
+    yield installer
   ensure
     rm_rf install_dir unless Rake::FileUtilsExt.nowrite_flag
   end
+
+  def gh_attestation_verify(path, repo)
+    if SassConfig.development? && system('gh', 'auth', 'status', '--hostname', 'github.com', %i[out err] => File::NULL)
+      sh 'gh', 'attestation', 'verify', path, '--hostname', 'github.com', '--repo', repo
+    end
+  end
 end
 
 # The {Platform} module.
