denoland · littledivy · Feb 28, 2024 · Feb 23, 2024 · Feb 23, 2024 · Feb 24, 2024
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/cli/Cargo.toml b/cli/Cargo.toml
@@ -104,6 +104,8 @@ fancy-regex = "=0.10.0"
 # If you disable the default __vendored_zlib_ng feature above, you _must_ be able to link against `-lz`.
 flate2.workspace = true
 fs3.workspace = true
+p256.workspace = true
+spki = { version = "0.7", features = ["pem"] }
 glob = "0.3.1"
 hex.workspace = true
 ignore = "0.4"
@@ -126,6 +128,7 @@ pin-project.workspace = true
 quick-junit = "^0.3.5"
 rand = { workspace = true, features = ["small_rng"] }
 regex.workspace = true
+reqwest.workspace = true
 ring.workspace = true
 rustyline.workspace = true
 rustyline-derive = "=0.7.0"

diff --git a/cli/args/flags.rs b/cli/args/flags.rs
@@ -302,6 +302,7 @@ pub struct PublishFlags {
   pub token: Option<String>,
   pub dry_run: bool,
   pub allow_slow_types: bool,
+  pub provenance: bool,
 }
 
 #[derive(Clone, Debug, Eq, PartialEq)]
@@ -2395,6 +2396,12 @@ fn publish_subcommand() -> Command {
           .help("Allow publishing with slow types")
           .action(ArgAction::SetTrue),
       )
+      .arg(
+        Arg::new("provenance")
+          .long("provenance")
+          .help("From CI/CD system, publicly links the package to where it was built and published from.")
+          .action(ArgAction::SetTrue)
+      )
       .arg(check_arg(/* type checks by default */ true))
       .arg(no_check_arg())
     })
@@ -3835,6 +3842,7 @@ fn publish_parse(flags: &mut Flags, matches: &mut ArgMatches) {
     token: matches.remove_one("token"),
     dry_run: matches.get_flag("dry-run"),
     allow_slow_types: matches.get_flag("allow-slow-types"),
+    provenance: matches.get_flag("provenance"),
   });
 }
 

diff --git a/cli/tools/registry/auth.rs b/cli/tools/registry/auth.rs
@@ -17,6 +17,14 @@ pub struct OidcConfig {
   pub token: String,
 }
 
+pub(crate) fn is_gha() -> bool {
+  std::env::var("GITHUB_ACTIONS").unwrap_or_default() == "true"
+}
+
+pub(crate) fn gha_oidc_token() -> Option<String> {
+  std::env::var("ACTIONS_ID_TOKEN_REQUEST_TOKEN").ok()
+}
+
 fn get_gh_oidc_env_vars() -> Option<Result<(String, String), AnyError>> {
   if std::env::var("GITHUB_ACTIONS").unwrap_or_default() == "true" {
     let url = std::env::var("ACTIONS_ID_TOKEN_REQUEST_URL");

diff --git a/cli/tools/registry/mod.rs b/cli/tools/registry/mod.rs
@@ -48,6 +48,7 @@ mod auth;
 mod diagnostics;
 mod graph;
 mod paths;
+mod provenance;
 mod publish_order;
 mod tar;
 
@@ -444,6 +445,7 @@ async fn perform_publish(
   mut publish_order_graph: PublishOrderGraph,
   mut prepared_package_by_name: HashMap<String, Rc<PreparedPublishPackage>>,
   auth_method: AuthMethod,
+  provenance: bool,
 ) -> Result<(), AnyError> {
   let client = http_client.client()?;
   let registry_api_url = jsr_api_url().to_string();
@@ -504,6 +506,7 @@ async fn perform_publish(
           &registry_api_url,
           &registry_url,
           &authorization,
+          provenance,
         )
         .await
         .with_context(|| format!("Failed to publish {}", display_name))?;
@@ -530,6 +533,7 @@ async fn publish_package(
   registry_api_url: &str,
   registry_url: &str,
   authorization: &str,
+  provenance: bool,
 ) -> Result<(), AnyError> {
   let client = http_client.client()?;
   println!(
@@ -635,6 +639,46 @@ async fn publish_package(
     package.package,
     package.version
   );
+
+  if provenance {
+    // Get the version manifest from JSR
+    let meta_url = jsr_url().join(&format!(
+      "@{}/{}/{}_meta.json",
+      package.scope, package.package, package.version
+    ))?;
+
+    let meta_bytes = client.get(meta_url).send().await?.bytes().await?;
+
+    // TODO: Verify manifest.
+
+    let subject = provenance::Subject {
+      name: format!("{}/{}", package.scope, package.package),
+      digest: provenance::SubjectDigest {
+        sha512: hex::encode(sha2::Sha512::digest(&meta_bytes)),
+      },
+    };
+    let transparency_log = provenance::generate_provenance(subject).await?;
+
+    println!("{}",
+      colors::green(format!(
+        "Provenance transparency log available at https://search.sigstore.dev/?logIndex={}",
+        transparency_log.rekor_log_index
+      ))
+     );
+
+    // Submit transparency log ID to JSR
+    let provenance_url = format!(
+      "{}scopes/{}/packages/{}/versions/{}/provenance",
+      registry_api_url, package.scope, package.package, package.version
+    );
+    client
+      .post(provenance_url)
+      .header(reqwest::header::AUTHORIZATION, authorization)
+      .json(&json!({ "rekorlogId": transparency_log.rekor_log_index }))
+      .send()
+      .await?;
+  }
+
   println!(
     "{}",
     colors::gray(format!(
@@ -807,13 +851,12 @@ pub async fn publish(
       Arc::new(ImportMap::new(Url::parse("file:///dev/null").unwrap()))
     });
 
+  let directory_path = cli_factory.cli_options().initial_cwd();
+
   let mapped_resolver = Arc::new(MappedSpecifierResolver::new(
     Some(import_map),
     cli_factory.package_json_deps_provider().clone(),
   ));
-
-  let directory_path = cli_factory.cli_options().initial_cwd();
-
   let cli_options = cli_factory.cli_options();
   let Some(config_file) = cli_options.maybe_config_file() else {
     bail!(
@@ -859,6 +902,9 @@ pub async fn publish(
     prepared_data.publish_order_graph,
     prepared_data.package_by_name,
     auth_method,
+    publish_flags.provenance,
   )
-  .await
+  .await?;
+
+  Ok(())
 }