Add GitHub attestation to published packages and fix issue with mimicking GitHub Actions environment

Author: sebastianrath

.github/workflows/graphs/build-test-publish.act

@@ -20,6 +20,7 @@ def main():
     sha256 = get_env_variable('SHA256')
     typ = get_env_variable('TYPE')
     version = get_env_variable('VERSION')
+    attestation_url = get_env_variable('ATTESTATION_URL')
     key = get_env_variable('S3_KEY')
     region = get_env_variable('PUBLISH_S3_REGION')
     bucket = get_env_variable('PUBLISH_S3_BUCKET')
@@ -41,6 +42,7 @@ def main():
             "key": key,
             "endpoint": endpoint
         },
+        "attestation_url": attestation_url,
         "sha256": sha256,
         "type": typ
     }]

.github/workflows/graphs/publish.py

@@ -21,6 +21,12 @@ on:
         type: boolean
         default: false
 
+permissions:
+  id-token: write
+  attestations: write
+  artifact-metadata: write
+  contents: read
+
 jobs:
   build-quick:
 
@@ -60,10 +66,6 @@ jobs:
     name: Build, Test and Publish
     if: startsWith(github.ref, 'refs/tags/') && (github.event_name == 'workflow_dispatch' || (github.event_name == 'push'))
 
-    permissions:
-      packages: write
-      contents: read
-
     strategy:
       matrix:
         license: [free]  # add pro when ready

.github/workflows/workflow.yml

@@ -287,7 +287,8 @@ func RunGraph(ctx context.Context, graphName string, graphContent []byte, opts R
 	}
 
 	entryNode, isBaseNode := entry.(NodeBaseInterface)
-	isGitHubWorkflow := os.Getenv("GITHUB_ACTIONS") == "true" || (isBaseNode && entryNode.GetNodeTypeId() == "core/gh-start@v1")
+	isGitHubAction := os.Getenv("GITHUB_ACTIONS") == "true"
+	isGitHubWorkflow := isBaseNode && entryNode.GetNodeTypeId() == "core/gh-start@v1"
 
 	// Initialize trackers with their respective categories
 	envTracker := newValueMap[string]("env")
@@ -399,36 +400,40 @@ func RunGraph(ctx context.Context, graphName string, graphContent []byte, opts R
 		printExplicit(envTracker, false)
 	}
 
-	if isGitHubWorkflow {
-		err = SetupGitHubActionsEnv(finalEnv)
-		if err != nil {
-			return CreateErr(nil, err, "failed to setup GitHub Actions environment")
-		}
-	}
-
-	// set cwd for current process. `ACT_CWD` is used for non GitHub workflows
-	if cwd := finalEnv["GITHUB_WORKSPACE"]; cwd != "" {
+	if cwd := finalEnv["ACT_CWD"]; cwd != "" {
 		originalCwd, err := os.Getwd()
 		if err != nil {
 			return CreateErr(nil, err, "failed to get current working directory")
 		}
 		if err := os.Chdir(cwd); err != nil {
-			return CreateErr(nil, err, "failed to change working directory to GITHUB_WORKSPACE")
+			return CreateErr(nil, err, "failed to change working directory to ACT_CWD")
 		}
 		defer func() {
 			_ = os.Chdir(originalCwd)
 		}()
-	} else if cwd := finalEnv["ACT_CWD"]; cwd != "" {
-		originalCwd, err := os.Getwd()
+	}
+
+	if !isGitHubAction && isGitHubWorkflow {
+		// If we are running a github actions workflow, then mimic a GitHub Actions environment
+		// But only do is if we are NOT already in GitHub Actions
+		err = SetupGitHubActionsEnv(finalEnv)
 		if err != nil {
-			return CreateErr(nil, err, "failed to get current working directory")
+			return CreateErr(nil, err, "failed to setup GitHub Actions environment")
 		}
-		if err := os.Chdir(cwd); err != nil {
-			return CreateErr(nil, err, "failed to change working directory to ACT_CWD")
+
+		// set cwd for current process. `ACT_CWD` above is used for non GitHub workflows
+		if cwd := finalEnv["GITHUB_WORKSPACE"]; cwd != "" {
+			originalCwd, err := os.Getwd()
+			if err != nil {
+				return CreateErr(nil, err, "failed to get current working directory")
+			}
+			if err := os.Chdir(cwd); err != nil {
+				return CreateErr(nil, err, "failed to change working directory to GITHUB_WORKSPACE")
+			}
+			defer func() {
+				_ = os.Chdir(originalCwd)
+			}()
 		}
-		defer func() {
-			_ = os.Chdir(originalCwd)
-		}()
 	}
 
 	// construct the `github` context

core/graph.go

@@ -23,7 +23,7 @@ hint:
 
 stack trace:
 github.com/actionforge/actrun-cli/core.RunGraphFromFile
-	graph.go:1067
+	graph.go:1072
 github.com/actionforge/actrun-cli/cmd.cmdRootRun
 	cmd_root.go:186
 github.com/spf13/cobra.(*Command).execute

tests_e2e/references/reference_app.sh_l12

@@ -40,11 +40,11 @@ github.com/actionforge/actrun-cli/nodes.(*StartNode).ExecuteImpl
 github.com/actionforge/actrun-cli/nodes.(*StartNode).ExecuteEntry
 	start@v1.go:45
 github.com/actionforge/actrun-cli/core.RunGraph
-	graph.go:462
+	graph.go:467
 github.com/actionforge/actrun-cli/core.RunGraphFromString
-	graph.go:1052
+	graph.go:1057
 github.com/actionforge/actrun-cli/core.RunGraphFromFile
-	graph.go:1070
+	graph.go:1075
 github.com/actionforge/actrun-cli/cmd.cmdRootRun
 	cmd_root.go:186
 github.com/spf13/cobra.(*Command).execute

tests_e2e/references/reference_dir-walk.sh_l56

@@ -51,11 +51,11 @@ github.com/actionforge/actrun-cli/nodes.(*StartNode).ExecuteImpl
 github.com/actionforge/actrun-cli/nodes.(*StartNode).ExecuteEntry
 	start@v1.go:45
 github.com/actionforge/actrun-cli/core.RunGraph
-	graph.go:462
+	graph.go:467
 github.com/actionforge/actrun-cli/core.RunGraphFromString
-	graph.go:1052
+	graph.go:1057
 github.com/actionforge/actrun-cli/core.RunGraphFromFile
-	graph.go:1070
+	graph.go:1075
 github.com/actionforge/actrun-cli/cmd.cmdRootRun
 	cmd_root.go:186
 github.com/spf13/cobra.(*Command).execute

tests_e2e/references/reference_error_no_output.sh_l8

@@ -250,7 +250,7 @@ github.com/actionforge/actrun-cli/nodes.(*StartNode).ExecuteImpl
 github.com/actionforge/actrun-cli/nodes.(*StartNode).ExecuteEntry
 	start@v1.go:45
 github.com/actionforge/actrun-cli/core.RunGraph
-	graph.go:462
+	graph.go:467
 github.com/actionforge/actrun-cli/core.RunGraphFromString
-	graph.go:1052
+	graph.go:1057
 

tests_e2e/references/reference_group-error.sh_l8

@@ -25,17 +25,17 @@ github.com/actionforge/actrun-cli/nodes.init.40.func1
 github.com/actionforge/actrun-cli/core.NewNodeInstance
 	base.go:619
 github.com/actionforge/actrun-cli/core.LoadNode
-	graph.go:635
+	graph.go:640
 github.com/actionforge/actrun-cli/core.LoadNodes
-	graph.go:575
+	graph.go:580
 github.com/actionforge/actrun-cli/core.LoadGraph
-	graph.go:490
+	graph.go:495
 github.com/actionforge/actrun-cli/core.RunGraph
 	graph.go:279
 github.com/actionforge/actrun-cli/core.RunGraphFromString
-	graph.go:1052
+	graph.go:1057
 github.com/actionforge/actrun-cli/core.RunGraphFromFile
-	graph.go:1070
+	graph.go:1075
 github.com/actionforge/actrun-cli/cmd.cmdRootRun
 	cmd_root.go:186
 github.com/spf13/cobra.(*Command).execute

tests_e2e/references/reference_group-port-collision.sh_l13

@@ -84,11 +84,11 @@ github.com/actionforge/actrun-cli/nodes.(*StartNode).ExecuteImpl
 github.com/actionforge/actrun-cli/nodes.(*StartNode).ExecuteEntry
 	start@v1.go:45
 github.com/actionforge/actrun-cli/core.RunGraph
-	graph.go:462
+	graph.go:467
 github.com/actionforge/actrun-cli/core.RunGraphFromString
-	graph.go:1052
+	graph.go:1057
 github.com/actionforge/actrun-cli/core.RunGraphFromFile
-	graph.go:1070
+	graph.go:1075
 github.com/actionforge/actrun-cli/cmd.cmdRootRun
 	cmd_root.go:186
 github.com/spf13/cobra.(*Command).execute