From 862591ca18fd3150f0ae07a016ddee0ed282f2b6 Mon Sep 17 00:00:00 2001
From: "K.B.Dharun Krishna" <kbdharunkrishna@gmail.com>
Date: Thu, 30 May 2024 11:05:32 +0530
Subject: [PATCH] feat/ci: add support for attesting release assets (#12851)

* feat: add support for attesting release assets

---------

Signed-off-by: K.B.Dharun Krishna <kbdharunkrishna@gmail.com>
Co-authored-by: Lena <126529524+acuteenvy@users.noreply.github.com>
Co-authored-by: Sebastiaan Speck <12570668+sebastiaanspeck@users.noreply.github.com>
---
 .github/workflows/ci.yml                  | 60 +++++++++++++++++++++--
 .github/workflows/copy-release-assets.yml | 40 +++++++++++----
 2 files changed, 86 insertions(+), 14 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 41703da92..c549ed456 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -2,14 +2,14 @@ name: CI
 
 on: ['push', 'pull_request']
 
-permissions:
-  contents: write # to upload assets to releases
-
 jobs:
   ci:
-    runs-on: ubuntu-latest
-
     name: CI
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write # to upload assets to releases
+      attestations: write # to upload assets attestation for build provenance
+      id-token: write # grant additional permission to attestation action to mint the OIDC token permission
 
     steps:
     - uses: actions/checkout@v4
@@ -53,3 +53,53 @@ jobs:
       env:
         DEPLOY_KEY: ${{ secrets.DEPLOY_KEY }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Check for generated files
+      if: github.repository == 'tldr-pages/tldr' && github.ref == 'refs/heads/main'
+      id: check-files
+      run: |
+        if [[ -n $(find language_archives -name "*.zip" -print -quit) ]]; then
+            echo "zip_exists=true" >> $GITHUB_ENV
+        else
+            echo "zip_exists=false" >> $GITHUB_ENV
+        fi
+
+        if [[ -n $(find scripts/pdf -name "*.pdf" -print -quit) ]]; then
+            echo "pdf_exists=true" >> $GITHUB_ENV
+        else
+            echo "pdf_exists=false" >> $GITHUB_ENV
+        fi
+
+        if [[ -f tldr.sha256sums ]]; then
+            echo "checksums_exist=true" >> $GITHUB_ENV
+        else
+            echo "checksums_exist=false" >> $GITHUB_ENV
+        fi
+
+    - name: Construct subject-path for attest
+      if: github.repository == 'tldr-pages/tldr' && github.ref == 'refs/heads/main'
+      id: construct-subject-path
+      run: |
+        subject_path=""
+        if [[ ${{ env.zip_exists }} == 'true' ]]; then
+          zip_files=$(find language_archives -name '*.zip' -printf '%p,')
+          subject_path+="${zip_files::-1}"
+        fi
+        if [[ ${{ env.pdf_exists }} == 'true' ]]; then
+          if [[ -n $subject_path ]]; then subject_path+=","; fi
+          pdf_files=$(find scripts/pdf -name '*.pdf' -printf '%p,')
+          subject_path+="${pdf_files::-1}"
+        fi
+        if [[ ${{ env.checksums_exist }} == 'true' ]]; then
+          if [[ -n $subject_path ]]; then subject_path+=","; fi
+          subject_path+='tldr.sha256sums'
+        fi
+        echo "subject_path=$subject_path" >> $GITHUB_ENV
+
+    - name: Attest generated files
+      if: github.repository == 'tldr-pages/tldr' && github.ref == 'refs/heads/main'
+      id: attest
+      uses: actions/attest-build-provenance@v1
+      continue-on-error: true # prevent failing when no pages are modified
+      with:
+        subject-path: ${{ env.subject_path }}
diff --git a/.github/workflows/copy-release-assets.yml b/.github/workflows/copy-release-assets.yml
index 81780f665..b7ceca60b 100644
--- a/.github/workflows/copy-release-assets.yml
+++ b/.github/workflows/copy-release-assets.yml
@@ -4,28 +4,50 @@ on:
   release:
     types: published
 
-permissions:
-  contents: write
-
 env:
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
 jobs:
   release:
-    name: Copy assets to the new release
+    name: Copy release assets
     runs-on: ubuntu-latest
+    permissions:
+      contents: write # to upload assets to releases
+      attestations: write # to upload assets attestation for build provenance
+      id-token: write # grant additional permission to attestation action to mint the OIDC token permission
 
     steps:
       - uses: actions/checkout@v4
         with:
           fetch-depth: 0
 
-      - name: Download and upload
+      - name: Set tag names
         run: |
-          LATEST="$(git describe --tags --abbrev=0)"
-          PREVIOUS="$(git describe --tags --abbrev=0 "$LATEST"^)"
+          echo "LATEST=$(git describe --tags --abbrev=0)" >> $GITHUB_ENV
+          echo "PREVIOUS=$(git describe --tags --abbrev=0 $(git describe --tags --abbrev=0)^)" >> $GITHUB_ENV
 
+      - name: Download assets
+        run: |
           mkdir release-assets && cd release-assets
-
           gh release download "$PREVIOUS"
-          gh release upload "$LATEST" -- *
+
+      - name: Construct subject-path for attest
+        if: github.repository == 'tldr-pages/tldr'
+        id: construct-subject-path
+        run: |
+          zip_files=$(find release-assets -name '*.zip' -printf '%p,')
+          pdf_files=$(find release-assets -name '*.pdf' -printf '%p,')
+          subject_path="${zip_files::-1},${pdf_files::-1},release-assets/tldr.sha256sums"
+          echo "subject_path=$subject_path" >> $GITHUB_ENV
+
+      - name: Attest copied assets
+        if: github.repository == 'tldr-pages/tldr'
+        id: attest
+        uses: actions/attest-build-provenance@v1
+        with:
+          subject-path: ${{ env.subject_path }}
+
+      - name: Upload assets
+        if: github.repository == 'tldr-pages/tldr'
+        working-directory: release-assets
+        run: gh release upload "$LATEST" -- *