From b9764a1d4b92bf034935d63228356365d771f67d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lomig=20Me=CC=81gard?= Date: Mon, 15 Jun 2026 22:31:19 +0200 Subject: [PATCH] ci: verify rite-ls provenance from rite-ly/rite --- .github/actions/verify-rite-ls/action.yml | 26 +++++++++++++++++++++++ .github/workflows/release.yml | 10 ++++++++- .github/workflows/verify-rite-ls.yml | 22 +++++++++++++++++++ scripts/download-rite-ls.sh | 4 ++++ 4 files changed, 61 insertions(+), 1 deletion(-) create mode 100644 .github/actions/verify-rite-ls/action.yml create mode 100644 .github/workflows/verify-rite-ls.yml diff --git a/.github/actions/verify-rite-ls/action.yml b/.github/actions/verify-rite-ls/action.yml new file mode 100644 index 0000000..ac50dfe --- /dev/null +++ b/.github/actions/verify-rite-ls/action.yml @@ -0,0 +1,26 @@ +name: Verify rite-ls provenance +description: >- + Verify the bundled rite-ls binaries against rite-ly/rite build provenance + attestations, using the gh CLI preinstalled on GitHub-hosted runners. + +runs: + using: composite + steps: + - name: Verify bundled rite-ls binaries + shell: bash + env: + GH_TOKEN: ${{ github.token }} + run: | + found=0 + while IFS= read -r f; do + found=1 + echo "::group::verify ${f}" + gh attestation verify "${f}" \ + --repo rite-ly/rite \ + --signer-workflow rite-ly/rite/.github/workflows/release.yml + echo "::endgroup::" + done < <(find bin -type f \( -name 'rite-ls' -o -name 'rite-ls.exe' \) | sort) + if [ "${found}" -ne 1 ]; then + echo "No rite-ls binaries found under bin/" >&2 + exit 1 + fi diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index eae5815..e5f715a 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -24,10 +24,18 @@ jobs: exit 1 fi + verify: + name: Verify rite-ls provenance + runs-on: ubuntu-latest + needs: validate + steps: + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: ./.github/actions/verify-rite-ls + publish: name: Publish (${{ matrix.target }}) runs-on: ubuntu-latest - needs: validate + needs: [validate, verify] strategy: # Serialised: the first target creates the marketplace version, the rest # attach their platform package to it. Parallel uploads race on that. diff --git a/.github/workflows/verify-rite-ls.yml b/.github/workflows/verify-rite-ls.yml new file mode 100644 index 0000000..ac2f3ba --- /dev/null +++ b/.github/workflows/verify-rite-ls.yml @@ -0,0 +1,22 @@ +name: Verify rite-ls + +# Only runs when the bundled binaries change (e.g. the Renovate version bump), +# so ordinary code PRs don't pay for a network verification round-trip. +on: + pull_request: + branches: [main] + paths: ['bin/**'] + push: + branches: [main] + paths: ['bin/**'] + +permissions: + contents: read + +jobs: + verify: + name: Verify rite-ls provenance + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 + - uses: ./.github/actions/verify-rite-ls diff --git a/scripts/download-rite-ls.sh b/scripts/download-rite-ls.sh index 481eb6d..ab675c5 100755 --- a/scripts/download-rite-ls.sh +++ b/scripts/download-rite-ls.sh @@ -1,6 +1,10 @@ #!/usr/bin/env bash # Download rite-ls binaries into bin/ from rite-ly/rite GitHub Releases. # +# Provenance is verified separately in CI (see .github/actions/verify-rite-ls), +# which gates both pull requests that touch bin/ and the release that publishes +# the extension. +# # Usage: # ./scripts/download-rite-ls.sh VERSION