chore: slsa publishing flow for npm (#34)

* chore: slsa publishing flow for npm Signed-off-by: Sam Gammon <sam@elide.ventures> * chore: build fixes, buildbuddy, faster bazel builds Signed-off-by: Sam Gammon <sam@elide.ventures> * fix: file structure for js packages Signed-off-by: Sam Gammon <sam@elide.ventures> * fix: download built artifacts Signed-off-by: Sam Gammon <sam@elide.ventures> * fix: provide publish token Signed-off-by: Sam Gammon <sam@elide.ventures> * fix: publishing workflows Signed-off-by: Sam Gammon <sam@elide.ventures> * chore: ability to override registry for npm publish Signed-off-by: Sam Gammon <sam@elide.ventures> * build(deps-dev): bump @types/node from 20.11.28 to 20.11.29 Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.28 to 20.11.29. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps): bump actions/deploy-pages from 4.0.4 to 4.0.5 Bumps [actions/deploy-pages](https://github.com/actions/deploy-pages) from 4.0.4 to 4.0.5. - [Release notes](https://github.com/actions/deploy-pages/releases) - [Commits](actions/deploy-pages@decdde0...d6db901) --- updated-dependencies: - dependency-name: actions/deploy-pages dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps): bump actions/checkout from 3.6.0 to 4.1.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.1.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v3.6.0...9bb5618) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com> * build(deps): bump ruby/setup-ruby from 1.161.0 to 1.172.0 Bumps [ruby/setup-ruby](https://github.com/ruby/setup-ruby) from 1.161.0 to 1.172.0. - [Release notes](https://github.com/ruby/setup-ruby/releases) - [Commits](ruby/setup-ruby@8575951...d4526a5) --- updated-dependencies: - dependency-name: ruby/setup-ruby dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * fix: publishing upload condition Signed-off-by: Sam Gammon <sam@elide.ventures> * chore: update lockfiles Signed-off-by: Sam Gammon <sam@elide.ventures> * fix: unconditionally upload assets for release Signed-off-by: Sam Gammon <sam@elide.ventures> --------- Signed-off-by: Sam Gammon <sam@elide.ventures> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
elide-dev · Mar 19, 2024 · 162f120 · 162f120
1 parent 915930b
commit 162f120
Show file tree

Hide file tree

Showing 45 changed files with 1,157 additions and 787 deletions.
diff --git a/.bazelrc b/.bazelrc
@@ -0,0 +1,3 @@
+
+import tools/bazel.rc
+
diff --git a/.github/bazel.rc b/.github/bazel.rc
@@ -0,0 +1,28 @@
+common --announce_rc
+common --enable_platform_specific_config
+common --experimental_isolated_extension_usages
+
+build:buildbuddy-ci --bes_results_url=https://skunkworks.buildbuddy.io/invocation/
+build:buildbuddy-ci --bes_backend=grpcs://skunkworks.buildbuddy.io
+build:buildbuddy-ci --remote_cache=grpcs://skunkworks.buildbuddy.io
+build:buildbuddy-ci --remote_timeout=3600
+build:buildbuddy-ci --noslim_profile
+build:buildbuddy-ci --nolegacy_important_outputs
+
+build:buildbuddy-ci --experimental_remote_cache_compression
+build:buildbuddy-ci --experimental_remote_build_event_upload=minimal
+build:buildbuddy-ci --experimental_profile_include_target_label
+build:buildbuddy-ci --experimental_profile_include_primary_output 
+build:buildbuddy-ci --experimental_inmemory_jdeps_files
+build:buildbuddy-ci --experimental_inmemory_dotd_files
+
+build:remote-exec --remote_executor=grpcs://skunkworks.buildbuddy.io
+
+build --config=buildbuddy-ci
+
+build:ci-metadata --build_metadata=ROLE=CI
+build:ci-metadata --build_metadata=HOST=gha
+build:ci-metadata --build_metadata=VISIBILITY=PUBLIC
+build:ci-metadata --build_metadata=REPO_URL=https://github.com/elide-dev/jpms.git
+
+build --config=ci-metadata
diff --git a/.github/bazel.workspace b/.github/bazel.workspace
@@ -0,0 +1,5 @@
+http_archive(
+    name = "rbe_default",
+    sha256 = "cdffa3b0fbf72c361d10937c41f2ca2274efd234e3757b011b48ac0ced13be03",
+    url = "https://dl.less.build/toolchains/bazel/rbe/elidecloud-v4a-ubuntu23.10.tgz",
+)
diff --git a/.github/codecov.yml b/.github/codecov.yml
@@ -33,6 +33,7 @@ github_checks:
   annotations: true
 
 ignore:
+  - "jdk"
   - "samples"
   - "tools/processor"
   - "tools/substrate/injekt"

diff --git a/.github/workflows/ci.build-test.yml b/.github/workflows/ci.build-test.yml
@@ -11,6 +11,9 @@ name: "Build & Test"
       CODECOV_TOKEN:
         description: "Codecov Token"
         required: false
+      BUILDBUDDY_APIKEY:
+        description: "BuildBuddy API Key"
+        required: false
 
   workflow_dispatch: {}
 
@@ -62,6 +65,12 @@ jobs:
             .m2
             ~/.cache/bazel
           key: jpms-attic-v1-${{ runner.os }}
+      - name: "Setup: BuildBuddy"
+        run: echo "build --remote_header=x-buildbuddy-api-key=$BUILDBUDDY_KEY" >> ./.github/bazel.rc
+        env:
+          BUILDBUDDY_KEY: ${{ secrets.BUILDBUDDY_APIKEY }}
+      - name: "Setup: Bazel Configuration"
+        run: cp -fv ./.github/bazel.rc ./tools/bazel.rc
       - name: "Build & Test Repository"
         run: make TESTS=${{ inputs.tests && 'yes' || 'no' }} SIGNING=no JAVADOC=no SNAPSHOT=yes
       - name: "Reporting: Code Coverage"
@@ -70,6 +79,8 @@ jobs:
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: elide-dev/jpms
+          flags: packages
+          verbose: true
       - name: "Build: Packages"
         run: pnpm run -r pack
       - name: "Artifact: Packages"

diff --git a/.github/workflows/ci.publish-package.yml b/.github/workflows/ci.publish-package.yml
@@ -0,0 +1,217 @@
+name: "Publish: Package"
+
+on:
+  workflow_call:
+    inputs:
+      package:
+        description: "Package"
+        type: string
+        required: true
+      registry:
+        description: "Registry"
+        type: string
+        default: 'https://registry.npmjs.org'
+      dry-run:
+        description: "Dry Run"
+        type: boolean
+        default: false
+      release:
+        description: "Release to GitHub"
+        type: boolean
+        default: false
+      tag:
+        description: "Release: Tag"
+        type: string
+      draft:
+        description: "Release: Draft"
+        type: boolean
+      prerelease:
+        description: "Release: Pre-release"
+        type: boolean
+      release-name:
+        description: "Release: Name"
+        type: string
+      release-generate:
+        description: "Release: Generate Notes"
+        type: boolean
+      release-latest:
+        description: "Release: Latest"
+        type: boolean
+
+    secrets:
+      PUBLISH_TOKEN:
+        description: "Publishing Token"
+        required: true
+
+  workflow_dispatch:
+    inputs:
+      package:
+        description: "Package"
+        type: choice
+        required: true
+        options:
+        - java
+        - maven
+        - gradle
+        - indexer
+      dry-run:
+        description: "Dry Run"
+        type: boolean
+        default: false
+      registry:
+        description: "Registry"
+        type: string
+        default: 'https://registry.npmjs.org'
+      release:
+        description: "Release to GitHub"
+        type: boolean
+        default: false
+      tag:
+        description: "Release Tag"
+        type: string
+      draft:
+        description: "Release: Draft"
+        type: boolean
+      prerelease:
+        description: "Release: Pre-release"
+        type: boolean
+      release-name:
+        description: "Release: Name"
+        type: string
+      release-generate:
+        description: "Release: Generate Notes"
+        type: boolean
+      release-latest:
+        description: "Release: Latest"
+        type: boolean
+
+jobs:
+  build:
+    name: "Package: Build (${{ inputs.package }})"
+    runs-on: ubuntu-latest
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: "Setup: Harden Runner"
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          persist-credentials: false
+      - name: "Setup: Node"
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: ${{ vars.NODE_VERSION || '21' }}
+          registry-url: 'https://registry.npmjs.org'
+      - name: "Setup: PNPM"
+        uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
+        with:
+          version: ${{ vars.PNPM_VERSION || '8' }}
+          run_install: |
+            - recursive: true
+              args: [--frozen-lockfile, --strict-peer-dependencies]
+      - name: "Build: Package (${{ inputs.package }})"
+        run: cd packages/${{ inputs.package }} && pnpm pack
+      - name: "Build: Provenance Hashes"
+        shell: bash
+        id: hash
+        run: |
+          echo "Release assets:"
+          ls -la packages/*/*.tgz
+          file packages/*/*.tgz
+          du -h packages/*/*.tgz
+          echo ""
+
+          sha256sum packages/*/*.tgz > ./packages/${{ inputs.package }}/pkg-hashes.txt
+          echo "Hashes:"
+          cat ./packages/${{ inputs.package }}/pkg-hashes.txt
+          echo ""
+
+          cat ./packages/${{ inputs.package }}/pkg-hashes.txt | base64 -w0 > ./packages/${{ inputs.package }}/pkg-hashes-encoded.txt
+          echo "Encoded Hashes:"
+          cat ./packages/${{ inputs.package }}/pkg-hashes-encoded.txt
+          echo ""
+
+          echo "hashes=$(cat ./packages/${{ inputs.package }}/pkg-hashes-encoded.txt)" >> "$GITHUB_OUTPUT"
+      - name: "Artifact: Packages"
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: javamodules-pkg-${{ inputs.package }}-${{ github.sha }}
+          retention-days: 30
+          compression-level: 1
+          overwrite: true
+          path: |
+            packages/${{ inputs.package }}/*.tgz
+            packages/${{ inputs.package }}/pkg-hashes.txt
+            packages/${{ inputs.package }}/pkg-hashes-encoded.txt
+
+  provenance:
+    name: "SLSA Provenance (${{ inputs.package }})"
+    needs: [build]
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.9.0
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: true
+
+  release:
+    name: "Release to GitHub (${{ inputs.package }})"
+    needs: [build, provenance]
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/') || inputs.release
+    steps:
+      - name: "Artifact: Package"
+        id: releaseArtifact
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: javamodules-pkg-${{ inputs.package }}-${{ github.sha }}
+      - name: "Artifact: Provenance"
+        id: provenanceArtifact
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: ${{ needs.provenance.outputs.provenance-name }}
+      - name: "Publish: Release"
+        uses: softprops/action-gh-release@d99959edae48b5ffffd7b00da66dcdb0a33a52ee # v2.0.2
+        with:
+          draft: ${{ inputs.draft }}
+          prerelease: ${{ inputs.prerelease }}
+          name: ${{ inputs.release-name }}
+          tag_name: ${{ inputs.tag || github.ref }}
+          generate_release_notes: ${{ inputs.release-generate }}
+          append_body: true
+          files: |
+            ${{ steps.releaseArtifact.outputs.download-path }}
+            ${{ steps.provenanceArtifact.outputs.download-path }}
+
+  publish-npm:
+    name: "Publish to Registry (${{ inputs.package }})"
+    needs: [build, provenance, release]
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/') || inputs.release
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
+    steps:
+      - name: "Artifact: Package"
+        id: releaseArtifact
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: javamodules-pkg-${{ inputs.package }}-${{ github.sha }}
+      - name: "Artifact: Provenance"
+        id: provenanceArtifact
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: ${{ needs.provenance.outputs.provenance-name }}
+      - name: "Publish to Registry"
+        run: cd packages/${{ inputs.package }} && pnpm run ${{ inputs.dry-run && 'publish:dry' || 'publish:live' }} --registry=${{ inputs.registry }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}