From 03972ee9902447ead500d4d5316f3fa1da40d43e Mon Sep 17 00:00:00 2001
From: Artur Stolear <artur.stolear@gmail.com>
Date: Wed, 16 Oct 2024 19:37:22 +0200
Subject: [PATCH] (build) add actions/attest-build-provenance

---
 .github/actions/artifacts-attest/action.yml  | 13 ++++++
 .github/actions/artifacts-restore/action.yml | 31 +++++++------
 .github/actions/cache-restore/action.yml     | 25 +++++++++++
 .github/workflows/_artifacts_linux.yml       |  4 +-
 .github/workflows/_artifacts_windows.yml     |  2 +-
 .github/workflows/_build.yml                 |  2 +-
 .github/workflows/_docker.yml                |  2 +-
 .github/workflows/_docker_manifests.yml      |  2 +-
 .github/workflows/_publish.yml               |  4 +-
 .github/workflows/_unit_tests.yml            |  2 +-
 .github/workflows/ci.yml                     | 25 ++++-------
 .github/workflows/docs.yml                   |  4 +-
 build/CI.sln                                 | 46 +++++++++++++++-----
 13 files changed, 110 insertions(+), 52 deletions(-)
 create mode 100644 .github/actions/artifacts-attest/action.yml
 create mode 100644 .github/actions/cache-restore/action.yml

diff --git a/.github/actions/artifacts-attest/action.yml b/.github/actions/artifacts-attest/action.yml
new file mode 100644
index 0000000000..a1d424e510
--- /dev/null
+++ b/.github/actions/artifacts-attest/action.yml
@@ -0,0 +1,13 @@
+name: 'Artifacts attestation'
+description: 'Artifacts attestation'
+
+runs:
+  using: 'composite'
+  steps:
+  -
+    name: 'Attestation'
+    uses: actions/attest-build-provenance@v1
+    with:
+      subject-path: |
+        ${{ github.workspace }}/artifacts/packages/native
+        ${{ github.workspace }}/artifacts/packages/nuget
\ No newline at end of file
diff --git a/.github/actions/artifacts-restore/action.yml b/.github/actions/artifacts-restore/action.yml
index 88338f425c..acca453639 100644
--- a/.github/actions/artifacts-restore/action.yml
+++ b/.github/actions/artifacts-restore/action.yml
@@ -5,21 +5,26 @@ runs:
   using: 'composite'
   steps:
   -
-    name: Use cached cake frosting
-    id: cache-cake
-    uses: actions/cache@v4
+    uses: actions/download-artifact@v4
+    name: Download native linux packages
     with:
-      path: run
-      key: run-${{ runner.os }}-${{ hashFiles('./build/**') }}
+      name: native-Linux
+      path: ${{ github.workspace }}/artifacts/packages/native
   -
-    name: Use cached tools
-    id: cache-tools
-    uses: actions/cache@v4
+    uses: actions/download-artifact@v4
+    name: Download native windows packages
     with:
-      path: tools
-      key: tools-${{ runner.os }}-${{ hashFiles('./build/**') }}
+      name: native-Windows
+      path: ${{ github.workspace }}/artifacts/packages/native
   -
-    name: Setup .NET SDK
-    uses: actions/setup-dotnet@v4
+    uses: actions/download-artifact@v4
+    name: Download native macos packages
     with:
-      global-json-file: global.json
\ No newline at end of file
+      name: native-macOS
+      path: ${{ github.workspace }}/artifacts/packages/native
+  -
+    uses: actions/download-artifact@v4
+    name: Download nuget packages
+    with:
+      name: nuget
+      path: ${{ github.workspace }}/artifacts/packages/nuget
\ No newline at end of file
diff --git a/.github/actions/cache-restore/action.yml b/.github/actions/cache-restore/action.yml
new file mode 100644
index 0000000000..3a3487843b
--- /dev/null
+++ b/.github/actions/cache-restore/action.yml
@@ -0,0 +1,25 @@
+name: 'Cache restore'
+description: 'Cache restore'
+
+runs:
+  using: 'composite'
+  steps:
+  -
+    name: Use cached cake frosting
+    id: cache-cake
+    uses: actions/cache@v4
+    with:
+      path: run
+      key: run-${{ runner.os }}-${{ hashFiles('./build/**') }}
+  -
+    name: Use cached tools
+    id: cache-tools
+    uses: actions/cache@v4
+    with:
+      path: tools
+      key: tools-${{ runner.os }}-${{ hashFiles('./build/**') }}
+  -
+    name: Setup .NET SDK
+    uses: actions/setup-dotnet@v4
+    with:
+      global-json-file: global.json
\ No newline at end of file
diff --git a/.github/workflows/_artifacts_linux.yml b/.github/workflows/_artifacts_linux.yml
index 86e13a9256..5d6bcd5454 100644
--- a/.github/workflows/_artifacts_linux.yml
+++ b/.github/workflows/_artifacts_linux.yml
@@ -37,7 +37,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       uses: actions/download-artifact@v4
       name: Download nuget packages
@@ -48,7 +48,7 @@ jobs:
       uses: actions/download-artifact@v4
       name: Download native packages
       with:
-        name: native-${{ runner.os }}
+        name: native-Linux
         path: ${{ github.workspace }}/artifacts/packages/native
     -
       name: '[Test Artifacts]'
diff --git a/.github/workflows/_artifacts_windows.yml b/.github/workflows/_artifacts_windows.yml
index 0f569701a5..6c1832961e 100644
--- a/.github/workflows/_artifacts_windows.yml
+++ b/.github/workflows/_artifacts_windows.yml
@@ -22,7 +22,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       uses: actions/download-artifact@v4
       name: Download nuget packages
diff --git a/.github/workflows/_build.yml b/.github/workflows/_build.yml
index dc57215083..75ed54e3c2 100644
--- a/.github/workflows/_build.yml
+++ b/.github/workflows/_build.yml
@@ -22,7 +22,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       name: '[Build]'
       shell: pwsh
diff --git a/.github/workflows/_docker.yml b/.github/workflows/_docker.yml
index edecf7f857..c502782848 100644
--- a/.github/workflows/_docker.yml
+++ b/.github/workflows/_docker.yml
@@ -37,7 +37,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       uses: actions/download-artifact@v4
       name: Download nuget packages
diff --git a/.github/workflows/_docker_manifests.yml b/.github/workflows/_docker_manifests.yml
index 0049c2438f..be38bf1bf5 100644
--- a/.github/workflows/_docker_manifests.yml
+++ b/.github/workflows/_docker_manifests.yml
@@ -30,7 +30,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       name: Set up Docker
       uses: crazy-max/ghaction-setup-docker@v3
diff --git a/.github/workflows/_publish.yml b/.github/workflows/_publish.yml
index ce6157faef..d9aec579e7 100644
--- a/.github/workflows/_publish.yml
+++ b/.github/workflows/_publish.yml
@@ -26,7 +26,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       uses: actions/download-artifact@v4
       name: Download nuget packages
@@ -36,4 +36,4 @@ jobs:
     -
       name: '[Publish]'
       shell: pwsh
-      run: dotnet run/publish.dll --target=Publish${{ matrix.taskName }}
+      run: dotnet run/publish.dll --target=Publish${{ matrix.taskName }}
\ No newline at end of file
diff --git a/.github/workflows/_unit_tests.yml b/.github/workflows/_unit_tests.yml
index 03b45d14e5..b59c395694 100644
--- a/.github/workflows/_unit_tests.yml
+++ b/.github/workflows/_unit_tests.yml
@@ -25,7 +25,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       name: '[Unit Test]'
       shell: pwsh
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index a85688e8db..ae4576d4db 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -34,8 +34,10 @@ env:
   ENABLED_DIAGNOSTICS: ${{ secrets.ENABLED_DIAGNOSTICS }}
 
 permissions:
+  id-token: write
   contents: read
   packages: write
+  attestations: write
 
 jobs:
   prepare:
@@ -118,25 +120,14 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
-    -
-      uses: actions/download-artifact@v4
-      name: Download native linux packages
-      with:
-        name: native-Linux
-        path: ${{ github.workspace }}/artifacts/packages/native
+      uses: ./.github/actions/cache-restore
     -
-      uses: actions/download-artifact@v4
-      name: Download native windows packages
-      with:
-        name: native-Windows
-        path: ${{ github.workspace }}/artifacts/packages/native
+      name: Restore Artifacts
+      uses: ./.github/actions/artifacts-restore
     -
-      uses: actions/download-artifact@v4
-      name: Download native macos packages
-      with:
-        name: native-macOS
-        path: ${{ github.workspace }}/artifacts/packages/native
+      name: Attetstation
+      if: ${{ github.event_name == 'repository_dispatch' }}
+      uses: ./.github/actions/artifacts-attest
     -
       name: '[Release]'
       shell: pwsh
diff --git a/.github/workflows/docs.yml b/.github/workflows/docs.yml
index bc3fb3b7aa..9f4d8ed7ad 100644
--- a/.github/workflows/docs.yml
+++ b/.github/workflows/docs.yml
@@ -100,7 +100,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       name: '[Build Documentation]'
       shell: pwsh
@@ -139,7 +139,7 @@ jobs:
         fetch-depth: 0
     -
       name: Restore State
-      uses: ./.github/actions/artifacts-restore
+      uses: ./.github/actions/cache-restore
     -
       name: '[Build Schemas]'
       shell: pwsh
diff --git a/build/CI.sln b/build/CI.sln
index f0edfb151e..fd9518e7a0 100644
--- a/build/CI.sln
+++ b/build/CI.sln
@@ -7,11 +7,6 @@ ProjectSection(SolutionItems) = preProject
 	..\.gitignore = ..\.gitignore
 	..\.config\dotnet-tools.json = ..\.config\dotnet-tools.json
 	..\package.json = ..\package.json
-	
-	
-	
-	
-	
 	..\.remarkrc.yaml = ..\.remarkrc.yaml
 EndProjectSection
 EndProject
@@ -54,12 +49,6 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "workflows", "workflows", "{
 	EndProjectSection
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "actions", "actions", "{A9B92261-AB9C-47D6-A8A7-616A5A62B063}"
-	ProjectSection(SolutionItems) = preProject
-		..\.github\actions\artifacts-restore\action.yml = ..\.github\actions\artifacts-restore\action.yml
-		..\.github\actions\docker-manifests\action.yml = ..\.github\actions\docker-manifests\action.yml
-		..\.github\actions\docker-publish\action.yml = ..\.github\actions\docker-publish\action.yml
-		..\.github\actions\docker-test\action.yml = ..\.github\actions\docker-test\action.yml
-	EndProjectSection
 EndProject
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "scripts", "scripts", "{960DC223-117E-41DE-8A89-C85E3D69A8E8}"
 	ProjectSection(SolutionItems) = preProject
@@ -68,6 +57,33 @@ Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "scripts", "scripts", "{960D
 		..\tests\scripts\test-native-tool.sh = ..\tests\scripts\test-native-tool.sh
 	EndProjectSection
 EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "cache-restore", "cache-restore", "{6B2EAF4B-81AF-44F8-8578-1B051C8AAA26}"
+	ProjectSection(SolutionItems) = preProject
+		..\.github\actions\cache-restore\action.yml = ..\.github\actions\cache-restore\action.yml
+	EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docker-manifests", "docker-manifests", "{9F17919E-097F-4696-AB9C-20036F7F5E1D}"
+	ProjectSection(SolutionItems) = preProject
+		..\.github\actions\docker-manifests\action.yml = ..\.github\actions\docker-manifests\action.yml
+	EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docker-publish", "docker-publish", "{EEB7B107-B408-4C4B-886D-7728EC692CBD}"
+	ProjectSection(SolutionItems) = preProject
+		..\.github\actions\docker-publish\action.yml = ..\.github\actions\docker-publish\action.yml
+	EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "docker-test", "docker-test", "{965AC311-8A65-4AEB-B11F-3E4EBDFFBB8F}"
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "artifacts-restore", "artifacts-restore", "{FF815E24-AE9E-49E5-BC93-F859450F9CD0}"
+	ProjectSection(SolutionItems) = preProject
+		..\.github\actions\artifacts-restore\action.yml = ..\.github\actions\artifacts-restore\action.yml
+	EndProjectSection
+EndProject
+Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "artifacts-attest", "artifacts-attest", "{C4A801B1-45B1-4D2E-8911-4823778BF582}"
+	ProjectSection(SolutionItems) = preProject
+		..\.github\actions\artifacts-attest\action.yml = ..\.github\actions\artifacts-attest\action.yml
+	EndProjectSection
+EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
 		Debug|Any CPU = Debug|Any CPU
@@ -107,4 +123,12 @@ Global
 		{8DAB65D8-57E8-4185-96FC-8A7C7373FC23}.Release|Any CPU.ActiveCfg = Release|Any CPU
 		{8DAB65D8-57E8-4185-96FC-8A7C7373FC23}.Release|Any CPU.Build.0 = Release|Any CPU
 	EndGlobalSection
+	GlobalSection(NestedProjects) = preSolution
+		{6B2EAF4B-81AF-44F8-8578-1B051C8AAA26} = {A9B92261-AB9C-47D6-A8A7-616A5A62B063}
+		{9F17919E-097F-4696-AB9C-20036F7F5E1D} = {A9B92261-AB9C-47D6-A8A7-616A5A62B063}
+		{EEB7B107-B408-4C4B-886D-7728EC692CBD} = {A9B92261-AB9C-47D6-A8A7-616A5A62B063}
+		{965AC311-8A65-4AEB-B11F-3E4EBDFFBB8F} = {A9B92261-AB9C-47D6-A8A7-616A5A62B063}
+		{FF815E24-AE9E-49E5-BC93-F859450F9CD0} = {A9B92261-AB9C-47D6-A8A7-616A5A62B063}
+		{C4A801B1-45B1-4D2E-8911-4823778BF582} = {A9B92261-AB9C-47D6-A8A7-616A5A62B063}
+	EndGlobalSection
 EndGlobal