test(acceptance-tests): add tests for provenance

.github/workflows/integration-workflow.yml

@@ -241,6 +241,11 @@ jobs:
     runs-on: ${{matrix.platform[0]}}-${{matrix.platform[1]}}
     needs: build
 
+    # Permission required to produce a valid provenance statement during the tests
+    # Only run inside the main repository; this may fail in master since it doesn't run in PRs from forks
+    permissions:
+      id-token: write
+
     steps:
     - uses: actions/checkout@v4
 

packages/acceptance-tests/pkg-tests-core/package.json

@@ -25,6 +25,7 @@
     "pkg-tests-fixtures": "workspace:^",
     "semver": "^7.1.2",
     "serve-static": "^1.14.1",
+    "sigstore": "^3.1.0",
     "super-resolve": "^1.0.0",
     "tar-fs": "^1.16.0",
     "tslib": "^2.4.0"

packages/acceptance-tests/pkg-tests-core/sources/utils/tests.ts

@@ -13,6 +13,7 @@ import os                                          from 'os';
 import pem                                         from 'pem';
 import semver                                      from 'semver';
 import serveStatic                                 from 'serve-static';
+import * as sigstore                               from 'sigstore';
 import stream                                      from 'stream';
 import * as t                                      from 'typanion';
 import {promisify}                                 from 'util';
@@ -559,6 +560,15 @@ export const startPackageServer = ({type}: {type: keyof typeof packageServerUrls
         if (typeof body.versions[version].gitHead !== `undefined` && name === `githead-forbidden`)
           return processError(response, 400, `Unexpected gitHead`);
 
+        if (name === `provenance-required`) {
+          try {
+            const bundle = JSON.parse(body._attachments[`${name}-${version}.sigstore`].data);
+            sigstore.verify(bundle);
+          } catch (error) {
+            return processError(response, 400, (error as Error).message);
+          }
+        }
+
         response.writeHead(200, {[`Content-Type`]: `application/json`});
         return response.end(rawData);
       });

packages/acceptance-tests/pkg-tests-specs/sources/commands/publish.test.ts

@@ -1,6 +1,8 @@
 import {npath, xfs} from '@yarnpkg/fslib';
 
-export {};
+const {
+  tests: {testIf},
+} = require(`pkg-tests-core`);
 
 const {
   exec: {execFile},
@@ -86,4 +88,29 @@ describe(`publish`, () =>   {
       },
     });
   }));
+
+  testIf(
+    () => !!process.env.ACTIONS_ID_TOKEN_REQUEST_URL,
+    `should publish a package with a valid provenance statement`,
+    makeTemporaryEnv({
+      name: `provenance-required`,
+      version: `1.0.0`,
+    }, async ({run}) => {
+      await run(`install`);
+
+      const githubEnv = Object.fromEntries(
+        Object.entries(process.env).filter(([key]) => (
+          key.startsWith(`ACTIONS_`) || key.startsWith(`GITHUB_`) || key.startsWith(`RUNNER_`)),
+        ),
+      );
+
+      await run(`npm`, `publish`, {
+        env: {
+          ...githubEnv,
+          YARN_NPM_AUTH_TOKEN: validLogins.fooUser.npmAuthToken,
+          YARN_NPM_PUBLISH_PROVENANCE: `true`,
+        },
+      });
+    }),
+  );
 });

yarn.lock

@@ -16859,6 +16859,7 @@ pem@dexus/pem:
     pkg-tests-fixtures: "workspace:^"
     semver: "npm:^7.1.2"
     serve-static: "npm:^1.14.1"
+    sigstore: "npm:^3.1.0"
     super-resolve: "npm:^1.0.0"
     tar-fs: "npm:^1.16.0"
     tslib: "npm:^2.4.0"