(build) add actions/attest-build-provenance

arturcic · Oct 16, 2024 · 03972ee · 03972ee
1 parent dba9244
commit 03972ee
Show file tree

Hide file tree

Showing 13 changed files with 110 additions and 52 deletions.
diff --git a/.github/actions/artifacts-attest/action.yml b/.github/actions/artifacts-attest/action.yml
@@ -0,0 +1,13 @@
+name: 'Artifacts attestation'
+description: 'Artifacts attestation'
+
+runs:
+  using: 'composite'
+  steps:
+  -
+    name: 'Attestation'
+    uses: actions/attest-build-provenance@v1
+    with:
+      subject-path: |
+        ${{ github.workspace }}/artifacts/packages/native
+        ${{ github.workspace }}/artifacts/packages/nuget
diff --git a/.github/actions/artifacts-restore/action.yml b/.github/actions/artifacts-restore/action.yml
@@ -5,21 +5,26 @@ runs:
   using: 'composite'
   steps:
   -
-    name: Use cached cake frosting
-    id: cache-cake
-    uses: actions/cache@v4
+    uses: actions/download-artifact@v4
+    name: Download native linux packages
     with:
-      path: run
-      key: run-${{ runner.os }}-${{ hashFiles('./build/**') }}
+      name: native-Linux
+      path: ${{ github.workspace }}/artifacts/packages/native
   -
-    name: Use cached tools
-    id: cache-tools
-    uses: actions/cache@v4
+    uses: actions/download-artifact@v4
+    name: Download native windows packages
     with:
-      path: tools
-      key: tools-${{ runner.os }}-${{ hashFiles('./build/**') }}
+      name: native-Windows
+      path: ${{ github.workspace }}/artifacts/packages/native
   -
-    name: Setup .NET SDK
-    uses: actions/setup-dotnet@v4
+    uses: actions/download-artifact@v4
+    name: Download native macos packages
     with:
-      global-json-file: global.json
+      name: native-macOS
+      path: ${{ github.workspace }}/artifacts/packages/native
+  -
+    uses: actions/download-artifact@v4
+    name: Download nuget packages
+    with:
+      name: nuget
+      path: ${{ github.workspace }}/artifacts/packages/nuget
diff --git a/.github/actions/cache-restore/action.yml b/.github/actions/cache-restore/action.yml
@@ -0,0 +1,25 @@
+name: 'Cache restore'
+description: 'Cache restore'
+
+runs:
+  using: 'composite'
+  steps:
+  -
+    name: Use cached cake frosting
+    id: cache-cake
+    uses: actions/cache@v4
+    with:
+      path: run
+      key: run-${{ runner.os }}-${{ hashFiles('./build/**') }}
+  -
+    name: Use cached tools
+    id: cache-tools
+    uses: actions/cache@v4
+    with:
+      path: tools
+      key: tools-${{ runner.os }}-${{ hashFiles('./build/**') }}
+  -
+    name: Setup .NET SDK
+    uses: actions/setup-dotnet@v4
+    with:
+      global-json-file: global.json
diff --git a/.github/workflows/_artifacts_linux.yml b/.github/workflows/_artifacts_linux.yml
@@ -37,7 +37,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       uses: actions/download-artifact@v4
       name: Download nuget packages
@@ -48,7 +48,7 @@ jobs:
       uses: actions/download-artifact@v4
       name: Download native packages
       with:
-        name: native-${{ runner.os }}
+        name: native-Linux
         path: ${{ github.workspace }}/artifacts/packages/native
     -
       name: '[Test Artifacts]'

diff --git a/.github/workflows/_artifacts_windows.yml b/.github/workflows/_artifacts_windows.yml
@@ -22,7 +22,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       uses: actions/download-artifact@v4
       name: Download nuget packages

diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml
@@ -22,7 +22,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       name: '[Build]'
       shell: pwsh

diff --git a/.github/workflows/_docker.yml b/.github/workflows/_docker.yml
@@ -37,7 +37,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       uses: actions/download-artifact@v4
       name: Download nuget packages

diff --git a/.github/workflows/_docker_manifests.yml b/.github/workflows/_docker_manifests.yml
@@ -30,7 +30,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       name: Set up Docker
       uses: crazy-max/ghaction-setup-docker@v3

diff --git a/.github/workflows/_publish.yml b/.github/workflows/_publish.yml
@@ -26,7 +26,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       uses: actions/download-artifact@v4
       name: Download nuget packages
@@ -36,4 +36,4 @@ jobs:
     -
       name: '[Publish]'
       shell: pwsh
-      run: dotnet run/publish.dll --target=Publish${{ matrix.taskName }}
+      run: dotnet run/publish.dll --target=Publish${{ matrix.taskName }}
diff --git a/.github/workflows/_unit_tests.yml b/.github/workflows/_unit_tests.yml
@@ -25,7 +25,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       name: '[Unit Test]'
       shell: pwsh

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -34,8 +34,10 @@ env:
   ENABLED_DIAGNOSTICS: ${{ secrets.ENABLED_DIAGNOSTICS }}
 
 permissions:
+  id-token: write
   contents: read
   packages: write
+  attestations: write
 
 jobs:
   prepare:
@@ -118,25 +120,14 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
-    -
-      uses: actions/download-artifact@v4
-      name: Download native linux packages
-      with:
-        name: native-Linux
-        path: ${{ github.workspace }}/artifacts/packages/native
+      uses: ./.github/actions/cache-restore
     -
-      uses: actions/download-artifact@v4
-      name: Download native windows packages
-      with:
-        name: native-Windows
-        path: ${{ github.workspace }}/artifacts/packages/native
+      name: Restore Artifacts
+      uses: ./.github/actions/artifacts-restore
     -
-      uses: actions/download-artifact@v4
-      name: Download native macos packages
-      with:
-        name: native-macOS
-        path: ${{ github.workspace }}/artifacts/packages/native
+      name: Attetstation
+      if: ${{ github.event_name == 'repository_dispatch' }}
+      uses: ./.github/actions/artifacts-attest
     -
       name: '[Release]'
       shell: pwsh

diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
@@ -100,7 +100,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       name: '[Build Documentation]'
       shell: pwsh
@@ -139,7 +139,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       name: '[Build Schemas]'
       shell: pwsh

diff --git a/build/CI.sln b/build/CI.sln
@@ -7,11 +7,6 @@ ProjectSection(SolutionItems) = preProject
 	..\.gitignore = ..\.gitignore
 	..\.config\dotnet-tools.json = ..\.config\dotnet-tools.json
 	..\package.json = ..\package.json
-
-
-
-
-
 	..\.remarkrc.yaml = ..\.remarkrc.yaml
 EndProjectSection
 EndProject
@@ -54,12 +49,6 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "workflows", "workflows", "{
 	EndProjectSection
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "actions", "actions", "{A9B92261-AB9C-47D6-A8A7-616A5A62B063}"
-	ProjectSection(SolutionItems) = preProject
-		..\.github\actions\artifacts-restore\action.yml = ..\.github\actions\artifacts-restore\action.yml
-		..\.github\actions\docker-manifests\action.yml = ..\.github\actions\docker-manifests\action.yml
-		..\.github\actions\docker-publish\action.yml = ..\.github\actions\docker-publish\action.yml
-		..\.github\actions\docker-test\action.yml = ..\.github\actions\docker-test\action.yml
-	EndProjectSection
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "scripts", "scripts", "{960DC223-117E-41DE-8A89-C85E3D69A8E8}"
 	ProjectSection(SolutionItems) = preProject
@@ -68,6 +57,33 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "scripts", "scripts", "{960D
 		..\tests\scripts\test-native-tool.sh = ..\tests\scripts\test-native-tool.sh
 	EndProjectSection
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "cache-restore", "cache-restore", "{6B2EAF4B-81AF-44F8-8578-1B051C8AAA26}"
+	ProjectSection(SolutionItems) = preProject
+		..\.github\actions\cache-restore\action.yml = ..\.github\actions\cache-restore\action.yml
+	EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docker-manifests", "docker-manifests", "{9F17919E-097F-4696-AB9C-20036F7F5E1D}"
+	ProjectSection(SolutionItems) = preProject
+		..\.github\actions\docker-manifests\action.yml = ..\.github\actions\docker-manifests\action.yml
+	EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docker-publish", "docker-publish", "{EEB7B107-B408-4C4B-886D-7728EC692CBD}"
+	ProjectSection(SolutionItems) = preProject
+		..\.github\actions\docker-publish\action.yml = ..\.github\actions\docker-publish\action.yml
+	EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docker-test", "docker-test", "{965AC311-8A65-4AEB-B11F-3E4EBDFFBB8F}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "artifacts-restore", "artifacts-restore", "{FF815E24-AE9E-49E5-BC93-F859450F9CD0}"
+	ProjectSection(SolutionItems) = preProject
+		..\.github\actions\artifacts-restore\action.yml = ..\.github\actions\artifacts-restore\action.yml
+	EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "artifacts-attest", "artifacts-attest", "{C4A801B1-45B1-4D2E-8911-4823778BF582}"
+	ProjectSection(SolutionItems) = preProject
+		..\.github\actions\artifacts-attest\action.yml = ..\.github\actions\artifacts-attest\action.yml
+	EndProjectSection
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -107,4 +123,12 @@ Global
 		{8DAB65D8-57E8-4185-96FC-8A7C7373FC23}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{8DAB65D8-57E8-4185-96FC-8A7C7373FC23}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
+	GlobalSection(NestedProjects) = preSolution
+		{6B2EAF4B-81AF-44F8-8578-1B051C8AAA26} = {A9B92261-AB9C-47D6-A8A7-616A5A62B063}
+		{9F17919E-097F-4696-AB9C-20036F7F5E1D} = {A9B92261-AB9C-47D6-A8A7-616A5A62B063}
+		{EEB7B107-B408-4C4B-886D-7728EC692CBD} = {A9B92261-AB9C-47D6-A8A7-616A5A62B063}
+		{965AC311-8A65-4AEB-B11F-3E4EBDFFBB8F} = {A9B92261-AB9C-47D6-A8A7-616A5A62B063}
+		{FF815E24-AE9E-49E5-BC93-F859450F9CD0} = {A9B92261-AB9C-47D6-A8A7-616A5A62B063}
+		{C4A801B1-45B1-4D2E-8911-4823778BF582} = {A9B92261-AB9C-47D6-A8A7-616A5A62B063}
+	EndGlobalSection
 EndGlobal