feat: add an attestations.json substitutable template

Author: kormide

src/application/cli/create-entry-command.ts

@@ -4,6 +4,7 @@ import path from 'path';
 import treeNodeCli from 'tree-node-cli';
 import { ArgumentsCamelCase } from 'yargs';
 
+import { AttestationsTemplate } from '../../domain/attestations-template.js';
 import {
   CreateEntryService,
   VersionAlreadyPublishedError,
@@ -19,10 +20,10 @@ import {
 import { Repository } from '../../domain/repository.js';
 import {
   SourceTemplate,
-  SubstitutableVar,
   UnsubstitutedVarsError,
 } from '../../domain/source-template.js';
 import { SourceTemplateError } from '../../domain/source-template.js';
+import { SubstitutableVar } from '../../domain/substitution.js';
 import { CreateEntryArgs } from './yargs.js';
 
 export interface CreateEntryCommandOutput {
@@ -47,6 +48,9 @@ export class CreateEntryCommand {
         path.join(args.templatesDir, 'metadata.template.json')
       );
       const sourceTemplate = new SourceTemplate(sourceTemplatePath);
+      const attestationsTemplate = AttestationsTemplate.tryLoad(
+        path.join(args.templatesDir, 'attestations.template.json')
+      );
       const presubmitPath = path.join(args.templatesDir, 'presubmit.yml');
       const patchesPath = path.join(args.templatesDir, 'patches');
 
@@ -65,7 +69,8 @@ export class CreateEntryCommand {
         presubmitPath,
         patchesPath,
         args.localRegistry,
-        args.moduleVersion
+        args.moduleVersion,
+        attestationsTemplate
       );
 
       console.error(

src/application/release-event-handler.ts

@@ -86,7 +86,8 @@ export class ReleaseEventHandler {
             rulesetRepo.presubmitPath(moduleRoot),
             rulesetRepo.patchesPath(moduleRoot),
             bcr.diskPath,
-            version
+            version,
+            null // TODO
           );
           moduleNames.push(moduleName);
         }

src/domain/BUILD.bazel

@@ -4,6 +4,8 @@ load("//bazel/ts:defs.bzl", "ts_project")
 ts_project(
     name = "domain",
     srcs = [
+        "artifact.ts",
+        "attestations-template.ts",
         "configuration.ts",
         "create-entry.ts",
         "error.ts",
@@ -16,6 +18,7 @@ ts_project(
         "repository.ts",
         "ruleset-repository.ts",
         "source-template.ts",
+        "substitution.ts",
         "user.ts",
         "version.ts",
     ],
@@ -41,6 +44,8 @@ ts_project(
     name = "domain_tests",
     testonly = True,
     srcs = [
+        "artifact.spec.ts",
+        "attestations-template.spec.ts",
         "configuration.spec.ts",
         "create-entry.spec.ts",
         "find-registry-fork.spec.ts",
@@ -52,6 +57,7 @@ ts_project(
         "repository.spec.ts",
         "ruleset-repository.spec.ts",
         "source-template.spec.ts",
+        "substitution.spec.ts",
         "version.spec.ts",
     ],
     deps = [

src/domain/artifact.spec.ts

@@ -0,0 +1,195 @@
+import { randomUUID } from 'node:crypto';
+import fs, { WriteStream } from 'node:fs';
+import os from 'node:os';
+import path from 'node:path';
+
+import axios from 'axios';
+import axiosRetry from 'axios-retry';
+import { mocked } from 'jest-mock';
+
+import { expectThrownError } from '../test/util';
+import { Artifact, ArtifactDownloadError } from './artifact';
+import { computeIntegrityHash } from './integrity-hash';
+
+jest.mock('node:fs');
+jest.mock('node:os');
+jest.mock('axios');
+jest.mock('axios-retry');
+jest.mock('./integrity-hash');
+
+const ARTIFACT_URL = 'https://foo.bar/artifact.baz';
+const TEMP_DIR = '/tmp';
+const TEMP_FOLDER = 'artifact-1234';
+
+beforeEach(() => {
+  mocked(axios.get).mockReturnValue(
+    Promise.resolve({
+      data: {
+        pipe: jest.fn(),
+      },
+      status: 200,
+    })
+  );
+
+  mocked(fs.createWriteStream).mockReturnValue({
+    on: jest.fn((event: string, func: (...args: any[]) => unknown) => {
+      if (event === 'finish') {
+        func();
+      }
+    }),
+  } as any);
+
+  mocked(os.tmpdir).mockReturnValue(TEMP_DIR);
+  mocked(fs.mkdtempSync).mockReturnValue(path.join(TEMP_DIR, TEMP_FOLDER));
+  mocked(computeIntegrityHash).mockReturnValue(`sha256-${randomUUID()}`);
+});
+
+describe('Artifact', () => {
+  describe('download', () => {
+    test('downloads the artifact', async () => {
+      const artifact = new Artifact(ARTIFACT_URL);
+      await artifact.download();
+
+      expect(axios.get).toHaveBeenCalledWith(ARTIFACT_URL, {
+        responseType: 'stream',
+      });
+    });
+
+    test('retries the request if it fails', async () => {
+      const artifact = new Artifact(ARTIFACT_URL);
+
+      // Restore the original behavior of exponentialDelay.
+      mocked(axiosRetry.exponentialDelay).mockImplementation(
+        jest.requireActual('axios-retry').exponentialDelay
+      );
+
+      await artifact.download();
+
+      expect(axiosRetry).toHaveBeenCalledWith(axios, {
+        retries: 3,
+
+        retryCondition: expect.matchesPredicate(
+          (retryConditionFn: Function) => {
+            // Make sure HTTP 404 errors are retried.
+            const notFoundError = { response: { status: 404 } };
+            return retryConditionFn.call(this, notFoundError);
+          }
+        ),
+        // eslint-disable-next-line @typescript-eslint/no-unsafe-function-type
+        retryDelay: expect.matchesPredicate((retryDelayFn: Function) => {
+          // Make sure the retry delays follow exponential backoff
+          // and the final retry happens after at least 1 minute total
+          // (in this case, at least 70 seconds).
+          // Axios randomly adds an extra 0-20% of jitter to each delay.
+          // Test upper bounds as well to ensure the workflow completes reasonably quickly
+          // (in this case, no more than 84 seconds total).
+          const firstRetryDelay = retryDelayFn.call(this, 0);
+          const secondRetryDelay = retryDelayFn.call(this, 1);
+          const thirdRetryDelay = retryDelayFn.call(this, 2);
+          return (
+            10000 <= firstRetryDelay &&
+            firstRetryDelay <= 12000 &&
+            20000 <= secondRetryDelay &&
+            secondRetryDelay <= 24000 &&
+            40000 <= thirdRetryDelay &&
+            thirdRetryDelay <= 48000
+          );
+        }),
+        shouldResetTimeout: true,
+      });
+    });
+
+    test('saves the artifact to disk', async () => {
+      const artifact = new Artifact(ARTIFACT_URL);
+
+      await artifact.download();
+
+      const expectedPath = path.join(TEMP_DIR, TEMP_FOLDER, 'artifact.baz');
+      expect(fs.createWriteStream).toHaveBeenCalledWith(expectedPath, {
+        flags: 'w',
+      });
+
+      const mockedAxiosResponse = await (mocked(axios.get).mock.results[0]
+        .value as Promise<{ data: { pipe: Function } }>); // eslint-disable-line @typescript-eslint/no-unsafe-function-type
+      const mockedWriteStream = mocked(fs.createWriteStream).mock.results[0]
+        .value as WriteStream;
+
+      expect(mockedAxiosResponse.data.pipe).toHaveBeenCalledWith(
+        mockedWriteStream
+      );
+    });
+
+    test('sets the diskPath', async () => {
+      const artifact = new Artifact(ARTIFACT_URL);
+
+      await artifact.download();
+
+      const expectedPath = path.join(TEMP_DIR, TEMP_FOLDER, 'artifact.baz');
+      expect(artifact.diskPath).toEqual(expectedPath);
+    });
+
+    test('throws on a non 200 status', async () => {
+      const artifact = new Artifact(ARTIFACT_URL);
+
+      mocked(axios.get).mockRejectedValue({
+        response: {
+          status: 401,
+        },
+      });
+
+      const thrownError = await expectThrownError(
+        () => artifact.download(),
+        ArtifactDownloadError
+      );
+
+      expect(thrownError.message.includes(ARTIFACT_URL)).toEqual(true);
+      expect(thrownError.message.includes('401')).toEqual(true);
+    });
+  });
+
+  describe('computeIntegrityHash', () => {
+    test('throws when artifact has not yet been downloaded', () => {
+      const artifact = new Artifact(ARTIFACT_URL);
+
+      expect(() => artifact.computeIntegrityHash()).toThrowWithMessage(
+        Error,
+        `The artifact ${ARTIFACT_URL} must be downloaded before an integrity hash can be calculated`
+      );
+    });
+
+    test('computes the integrity of the file', async () => {
+      const artifact = new Artifact(ARTIFACT_URL);
+      await artifact.download();
+
+      const expected = `sha256-${randomUUID()}`;
+      mocked(computeIntegrityHash).mockReturnValue(expected);
+
+      const actual = await artifact.computeIntegrityHash();
+
+      expect(expected).toEqual(actual);
+      expect(computeIntegrityHash).toHaveBeenCalledWith(artifact.diskPath);
+    });
+  });
+
+  describe('cleanup', () => {
+    test('removed the stored file', async () => {
+      const artifact = new Artifact(ARTIFACT_URL);
+      await artifact.download();
+      const diskPath = artifact.diskPath;
+      artifact.cleanup();
+
+      expect(fs.rmSync).toHaveBeenCalledWith(diskPath, { force: true });
+    });
+
+    test('removes the diskPath', async () => {
+      const artifact = new Artifact(ARTIFACT_URL);
+      await artifact.download();
+      artifact.cleanup();
+
+      expect(() => artifact.diskPath).toThrowWithMessage(
+        Error,
+        `The artifact ${ARTIFACT_URL} has not been downloaded yet`
+      );
+    });
+  });
+});