diff options
| author | Divy Srivastava <dj.srivastava23@gmail.com> | 2024-02-28 07:58:02 +0530 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-02-28 07:58:02 +0530 |
| commit | 9b5d2f8c1bae498d78400c8e9263bcae6e521adf (patch) | |
| tree | 69453f9be9fc65774f3087bb986409aadee5acb4 /tests/util/server/src/lib.rs | |
| parent | e9fe71acb53c8856754ef892c463253cb96087ce (diff) | |
feat(publish): provenance attestation (#22573)
Supply chain security for JSR.
```
$ deno publish --provenance
Successfully published @divy/test_provenance@0.0.3
Provenance transparency log available at https://search.sigstore.dev/?logIndex=73657418
```
0. Package has been published.
1. Fetches the version manifest and verifies it's matching with uploaded
files and exports.
2. Builds the attestation SLSA payload using Github actions env.
3. Creates an ephemeral key pair for signing the github token
(aud=sigstore) and DSSE pre authentication tag.
4. Requests a X.509 signing certificate from Fulcio using the challenge
and ephemeral public key PEM.
5. Prepares a DSSE envelop for Rekor to witness. Posts an intoto entry
to Rekor and gets back the transparency log index.
6. Builds the provenance bundle and posts it to JSR.
Diffstat (limited to 'tests/util/server/src/lib.rs')
| -rw-r--r-- | tests/util/server/src/lib.rs | 56 |
1 files changed, 56 insertions, 0 deletions
diff --git a/tests/util/server/src/lib.rs b/tests/util/server/src/lib.rs index 9a0323433..c65526ca3 100644 --- a/tests/util/server/src/lib.rs +++ b/tests/util/server/src/lib.rs @@ -64,6 +64,50 @@ pub fn env_vars_for_jsr_tests() -> Vec<(String, String)> { ] } +pub fn env_vars_for_jsr_provenance_tests() -> Vec<(String, String)> { + let mut envs = env_vars_for_jsr_tests(); + envs.extend(vec![ + ("REKOR_URL".to_string(), rekor_url()), + ("FULCIO_URL".to_string(), fulcio_url()), + ( + "DISABLE_JSR_MANIFEST_VERIFICATION_FOR_TESTING".to_string(), + "true".to_string(), + ), + ]); + // set GHA variable for attestation. + envs.extend([ + ("CI".to_string(), "true".to_string()), + ("GITHUB_ACTIONS".to_string(), "true".to_string()), + ("ACTIONS_ID_TOKEN_REQUEST_URL".to_string(), gha_token_url()), + ( + "ACTIONS_ID_TOKEN_REQUEST_TOKEN".to_string(), + "dummy".to_string(), + ), + ( + "GITHUB_REPOSITORY".to_string(), + "littledivy/deno_sdl2".to_string(), + ), + ( + "GITHUB_SERVER_URL".to_string(), + "https://github.com".to_string(), + ), + ("GITHUB_REF".to_string(), "refs/tags/sdl2@0.0.1".to_string()), + ("GITHUB_SHA".to_string(), "lol".to_string()), + ("GITHUB_RUN_ID".to_string(), "1".to_string()), + ("GITHUB_RUN_ATTEMPT".to_string(), "1".to_string()), + ( + "RUNNER_ENVIRONMENT".to_string(), + "github-hosted".to_string(), + ), + ( + "GITHUB_WORKFLOW_REF".to_string(), + "littledivy/deno_sdl2@refs/tags/sdl2@0.0.1".to_string(), + ), + ]); + + envs +} + pub fn env_vars_for_jsr_npm_tests() -> Vec<(String, String)> { vec![ ("NPM_CONFIG_REGISTRY".to_string(), npm_registry_url()), @@ -125,6 +169,18 @@ pub fn jsr_registry_url() -> String { "http://127.0.0.1:4250/".to_string() } +pub fn rekor_url() -> String { + "http://127.0.0.1:4251".to_string() +} + +pub fn fulcio_url() -> String { + "http://127.0.0.1:4251".to_string() +} + +pub fn gha_token_url() -> String { + "http://127.0.0.1:4251/gha_oidc?test=true".to_string() +} + pub fn jsr_registry_unset_url() -> String { "http://JSR_URL.is.unset".to_string() } |