cpp-cpm-engine/.github/workflows/verify.yml at main · danafitkowski/cpp-cpm-engine · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
name: verify

# Round 7 — Independent Verification workflow (Daubert Angle 5 closer).
#
# Runs the full verification suite (unit tests + JS-Python crossval +
# citation regression) and emits a signed witness JSON file as a workflow
# artifact + release asset. The witness is the Daubert "Independent
# Verification" artifact: any third-party expert can reproduce it locally
# via `npm run verify` and compare byte-for-byte against the CI output.
#
# Cryptographic attestation: the witness is signed via Sigstore using
# GitHub OIDC (actions/attest-build-provenance). Verification:
#   gh attestation verify attestations/latest.json --owner danafitkowski

on:
  push:
    branches: [main, master]
    tags: ['v*']
  pull_request:
    branches: [main, master]
  workflow_dispatch:

permissions:
  contents: write       # for release upload on tag pushes
  id-token: write       # for Sigstore OIDC attestation
  attestations: write   # for actions/attest-build-provenance

jobs:
  verify:
    name: Independent verification (Node ${{ matrix.node }} / ${{ matrix.os }})
    runs-on: ${{ matrix.os }}
    strategy:
      fail-fast: false
      matrix:
        os: [ubuntu-latest, macos-latest, windows-latest]
        node: ['18', '20', '22']
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version: ${{ matrix.node }}

      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
        with:
          python-version: '3.11'

      - name: Engine version sanity check
        shell: bash
        run: |
          PKG_VER=$(node -p "require('./package.json').version")
          ENGINE_VER=$(node -p "require('./cpm-engine.js').ENGINE_VERSION")
          echo "package.json version: $PKG_VER"
          echo "ENGINE_VERSION:       $ENGINE_VER"
          if [ "$PKG_VER" != "$ENGINE_VER" ]; then
            echo "::error::Version skew detected. package.json=$PKG_VER engine=$ENGINE_VER"
            exit 1
          fi

      - name: Run full verification + generate witness
        shell: bash
        run: |
          node scripts/attestation.js --output attestations/witness-${{ matrix.os }}-node${{ matrix.node }}.json
        # attestation.js exits 1 if any test fails — gates the workflow

      - name: Display witness (Linux/Mac)
        if: matrix.os != 'windows-latest'
        run: cat attestations/witness-${{ matrix.os }}-node${{ matrix.node }}.json

      - name: Display witness (Windows)
        if: matrix.os == 'windows-latest'
        shell: pwsh
        run: Get-Content attestations/witness-${{ matrix.os }}-node${{ matrix.node }}.json

      - name: Upload witness as workflow artifact
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          name: witness-${{ matrix.os }}-node${{ matrix.node }}
          path: attestations/witness-${{ matrix.os }}-node${{ matrix.node }}.json
          retention-days: 90

  attest:
    name: Sign witness (Sigstore via GitHub OIDC)
    runs-on: ubuntu-latest
    needs: verify
    # Sign only on main-branch pushes and tag pushes — not on every PR
    if: github.event_name == 'push' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/'))
    permissions:
      contents: write
      id-token: write
      attestations: write
    steps:
      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4

      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
        with:
          node-version: '20'

      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
        with:
          python-version: '3.11'

      - name: Generate canonical witness (Linux/Node 20)
        run: node scripts/attestation.js --output attestations/latest.json

      - name: Display canonical witness
        run: cat attestations/latest.json

      - name: Attest witness via Sigstore
        uses: actions/attest-build-provenance@ef244123eb79f2f7a7e75d99086184180e6d0018 # v1
        with:
          subject-path: 'attestations/latest.json'

      - name: Upload canonical witness as workflow artifact
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
        with:
          name: witness-canonical
          path: attestations/latest.json
          retention-days: 365

      - name: Attach witness to release (tag pushes only)
        if: startsWith(github.ref, 'refs/tags/')
        uses: softprops/action-gh-release@3bb12739c298aeb8a4eeaf626c5b8d85266b0e65 # v2
        with:
          files: attestations/latest.json
          fail_on_unmatched_files: false
          generate_release_notes: false