Introducing code signing, build provenance attestation, and persisting artifacts to GCS (#873)

jakedahn · web-flow · commit 07d1686eedf9 · 2025-03-26T12:02:59.000-06:00
diff --git a/.github/workflows/deno.yml b/.github/workflows/deno.yml
@@ -1,4 +1,4 @@
-name: Deno Workflow 
+name: Deno Workflow
 
 on:
   push:
@@ -25,13 +25,13 @@ jobs:
             ~/.deno
             ~/.cache/deno
           key: ${{ runner.os }}-deno-${{ hashFiles('**/deno.json') }}
-      - name: Install dependencies 
+      - name: Install dependencies
         # Errors if `deno.lock` file was not
         # committed with the current change.
         run: deno install --frozen=true
-      - name: Check 
+      - name: Check
         run: deno task check
-      - name: Lint 
+      - name: Lint
         run: deno lint
       # For deno-web-test browser tests
       # https://github.com/lino-levan/astral/blob/f5ef833b2c5bde3783564a6b925073d5d46bb4b8/README.md#no-usable-sandbox-with-user-namespace-cloning-enabled
@@ -43,31 +43,144 @@ jobs:
   build-artifact:
     name: "Build Artifact"
     runs-on: ubuntu-latest
-    needs: ['workspace-tests']
+    needs: ["workspace-tests"]
+    environment: production
+    permissions:
+      id-token: write
+      contents: read
+      actions: read
+      attestations: write
     steps:
       - uses: actions/checkout@v4
+
       - name: Setup Deno
         uses: denoland/setup-deno@v2
         with:
           deno-version: "2.2.2"
+
       - name: Cache dependencies
         uses: actions/cache@v3
         with:
           path: |
             ~/.deno
             ~/.cache/deno
           key: ${{ runner.os }}-deno-${{ hashFiles('**/deno.json') }}
-      - name: Build artifact 
+
+      - name: Build artifact
         run: deno task build-artifact
+
+      - name: Sign and package for main
+        if: github.ref == 'refs/heads/main'
+        run: |
+          openssl dgst -sha256 -sign <(echo "${{ secrets.ARTIFACT_SIGNING_KEY }}") -out ./artifact.sig ./artifact
+          mkdir -p release
+          tar -czf release/${{ github.sha }}.tar.gz ./artifact ./artifact.sig
+
+      - name: Generate hashes for main
+        if: github.ref == 'refs/heads/main'
+        id: hash
+        run: |
+          sha256sum release/${{ github.sha }}.tar.gz > release/${{ github.sha }}.hash.txt
+          ARTIFACT_HASH=$(cat release/${{ github.sha }}.hash.txt | awk '{print $1}')
+          echo "Hash value: $ARTIFACT_HASH"
+          echo "hash=$ARTIFACT_HASH" >> $GITHUB_OUTPUT
+
+      - name: Generate binary hash for main
+        if: github.ref == 'refs/heads/main'
+        id: binary_hash
+        run: |
+          sha256sum ./artifact > binary.hash.txt
+          BINARY_HASH=$(cat binary.hash.txt | awk '{print $1}')
+          echo "Binary hash value: $BINARY_HASH"
+          echo "binary_hash=$BINARY_HASH" >> $GITHUB_OUTPUT
+
+      - name: Generate binary attestation for main
+        if: github.ref == 'refs/heads/main'
+        id: attest_binary
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: ./artifact
+          subject-digest: sha256:${{ steps.binary_hash.outputs.binary_hash }}
+
+      - name: Upload binary attestation for main
+        if: github.ref == 'refs/heads/main'
+        uses: actions/upload-artifact@v4
+        with:
+          name: attest_binary
+          if-no-files-found: error
+          path: ${{ steps.attest_binary.outputs.bundle-path }}
+
+      - name: Generate tarball attestation for main
+        if: github.ref == 'refs/heads/main'
+        id: attest_tarball
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-name: https://storage.cloud.google.com/commontools-build-artifacts/workspace-artifacts/${{ github.sha }}.tar.gz
+          subject-digest: sha256:${{ steps.hash.outputs.hash }}
+
+      - name: Upload tarball attestation for main
+        if: github.ref == 'refs/heads/main'
+        uses: actions/upload-artifact@v4
+        with:
+          name: attest_tarball
+          if-no-files-found: error
+          path: ${{ steps.attest_tarball.outputs.bundle-path }}
+
+      - name: Verify tarball attestation for main
+        if: github.ref == 'refs/heads/main'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "::group::Tarball attestation details"
+          gh attestation verify release/${{ github.sha }}.tar.gz -R ${{ github.repository }} --format json | jq
+          echo "::endgroup::"
+          if [ $? -eq 0 ]; then
+            echo -e "\033[32m✓ Tarball attestation verified successfully\033[0m"
+          else
+            echo -e "\033[31m✗ Tarball attestation verification failed\033[0m"
+            exit 1
+          fi
+
+      - name: Verify binary attestation for main
+        if: github.ref == 'refs/heads/main'
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          echo "::group::Binary attestation details"
+          gh attestation verify ./artifact -R ${{ github.repository }} --format json | jq
+          echo "::endgroup::"
+          if [ $? -eq 0 ]; then
+            echo -e "\033[32m✓ Binary attestation verified successfully\033[0m"
+          else
+            echo -e "\033[31m✗ Binary attestation verification failed\033[0m"
+            exit 1
+          fi
+
+      - name: Authenticate to Google Cloud for main
+        if: github.ref == 'refs/heads/main'
+        uses: google-github-actions/auth@v1
+        with:
+          credentials_json: ${{ secrets.GCP_SA_KEY }}
+
+      - name: Setup Google Cloud SDK for main
+        if: github.ref == 'refs/heads/main'
+        uses: google-github-actions/setup-gcloud@v1
+
+      - name: Upload to GCS for main
+        if: github.ref == 'refs/heads/main'
+        run: |
+          gsutil cp release/${{ github.sha }}.tar.gz gs://commontools-build-artifacts/workspace-artifacts/
+          gsutil cp release/${{ github.sha }}.hash.txt gs://commontools-build-artifacts/workspace-artifacts/
+
       - uses: actions/upload-artifact@v4
         with:
           name: common-artifact
           path: ./artifact
-  
+
   integration-test:
     name: "Integration Tests"
     runs-on: ubuntu-latest
-    needs: ['build-artifact']
+    needs: ["build-artifact"]
     environment: production
     services:
       redis:
@@ -81,28 +194,34 @@ jobs:
           --health-retries 5
     steps:
       - uses: actions/checkout@v4
+
       - name: Setup Deno
         uses: denoland/setup-deno@v2
         with:
           deno-version: "2.2.2"
+
       - name: Cache dependencies
         uses: actions/cache@v3
         with:
           path: |
             ~/.deno
             ~/.cache/deno
           key: ${{ runner.os }}-deno-${{ hashFiles('**/deno.json') }}
+
       - uses: actions/download-artifact@v4
+
       - name: Run Compiled Toolshed
         run: |
           chmod +x ./common-artifact/artifact
           CTTS_AI_LLM_ANTHROPIC_API_KEY=fake \
           CACHE_DIR=${GITHUB_WORKSPACE}/jumble/integration/cache \
           ./common-artifact/artifact &
+
       # For Astral
       # https://github.com/lino-levan/astral/blob/f5ef833b2c5bde3783564a6b925073d5d46bb4b8/README.md#no-usable-sandbox-with-user-namespace-cloning-enabled
       - name: Disable AppArmor
         run: echo 0 | sudo tee /proc/sys/kernel/apparmor_restrict_unprivileged_userns
+
       - name: Run Integration
         working-directory: jumble
         run: |
