Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 26 additions & 0 deletions .github/actions/verify-rite-ls/action.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
name: Verify rite-ls provenance
description: >-
Verify the bundled rite-ls binaries against rite-ly/rite build provenance
attestations, using the gh CLI preinstalled on GitHub-hosted runners.

runs:
using: composite
steps:
- name: Verify bundled rite-ls binaries
shell: bash
env:
GH_TOKEN: ${{ github.token }}
run: |
found=0
while IFS= read -r f; do
found=1
echo "::group::verify ${f}"
gh attestation verify "${f}" \
--repo rite-ly/rite \
--signer-workflow rite-ly/rite/.github/workflows/release.yml
echo "::endgroup::"
done < <(find bin -type f \( -name 'rite-ls' -o -name 'rite-ls.exe' \) | sort)
if [ "${found}" -ne 1 ]; then
echo "No rite-ls binaries found under bin/" >&2
exit 1
fi
10 changes: 9 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,10 +24,18 @@ jobs:
exit 1
fi

verify:
name: Verify rite-ls provenance
runs-on: ubuntu-latest
needs: validate
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: ./.github/actions/verify-rite-ls

publish:
name: Publish (${{ matrix.target }})
runs-on: ubuntu-latest
needs: validate
needs: [validate, verify]
strategy:
# Serialised: the first target creates the marketplace version, the rest
# attach their platform package to it. Parallel uploads race on that.
Expand Down
22 changes: 22 additions & 0 deletions .github/workflows/verify-rite-ls.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
name: Verify rite-ls

# Only runs when the bundled binaries change (e.g. the Renovate version bump),
# so ordinary code PRs don't pay for a network verification round-trip.
on:
pull_request:
branches: [main]
paths: ['bin/**']
push:
branches: [main]
paths: ['bin/**']

permissions:
contents: read

jobs:
verify:
name: Verify rite-ls provenance
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
- uses: ./.github/actions/verify-rite-ls
4 changes: 4 additions & 0 deletions scripts/download-rite-ls.sh
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
#!/usr/bin/env bash
# Download rite-ls binaries into bin/ from rite-ly/rite GitHub Releases.
#
# Provenance is verified separately in CI (see .github/actions/verify-rite-ls),
# which gates both pull requests that touch bin/ and the release that publishes
# the extension.
#
# Usage:
# ./scripts/download-rite-ls.sh VERSION

Expand Down