Add test attestation

Author: spoorcc

.github/workflows/ci.yml

@@ -49,9 +49,13 @@ jobs:
       security-events: write
 
   test:
+    needs: source-provenance
+    if: needs.source-provenance.result != 'failure'
     uses: ./.github/workflows/test.yml
     permissions:
       contents: read
+      attestations: write
+      id-token: write
     secrets:
       CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }}
 

.github/workflows/test.yml

@@ -12,6 +12,10 @@ permissions:
 jobs:
   test:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      attestations: write
+      id-token: write
     steps:
       - name: "Harden the runner (Block egress traffic: Only allow calls to allowed endpoints)"
         uses: step-security/harden-runner@a5ad31d6a139d249332a2605b85202e8c0b78450 # v2.19.1
@@ -48,6 +52,12 @@ jobs:
             security.ubuntu.com:443
             svn.code.sf.net:3690
             svn.code.sf.net:443
+            api.github.com:443
+            uploads.github.com:443
+            fulcio.sigstore.dev:443
+            rekor.sigstore.dev:443
+            tuf-repo-cdn.sigstore.dev:443
+            *.blob.core.windows.net:443
 
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -81,8 +91,10 @@ jobs:
       - run: pydocstyle dfetch                                         # Checks doc strings
       - run: bandit -r dfetch                                          # Checks security issues
       - run: xenon -b B -m A -a A dfetch                               # Check code quality
-      - run: pytest --cov=dfetch  tests                                # Run tests
-      - run: coverage run --source=dfetch --append -m behave features  # Run features tests
+      - id: pytest
+        run: pytest --cov=dfetch  tests                                # Run tests
+      - id: behave
+        run: coverage run --source=dfetch --append -m behave features  # Run features tests
       - run: coverage xml -o coverage.xml                              # Create XML report
       - run: pyroma --directory --min=10 .                             # Check pyproject
       - run: find dfetch -name "*.py" | xargs pyupgrade --py310-plus   # Check syntax
@@ -96,3 +108,45 @@ jobs:
         env:
           CODACY_PROJECT_TOKEN: ${{ secrets.CODACY_PROJECT_TOKEN }}
         if: "${{ (!!env.CODACY_PROJECT_TOKEN) }}"
+
+      - name: Download canonical source archive
+        id: download-source
+        if: github.event_name != 'pull_request'
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v5
+        with:
+          name: source-archive
+
+      - name: Generate test result predicate
+        if: steps.download-source.outcome == 'success'
+        run: |
+          if [[ "${{ steps.pytest.outcome }}" == "success" && "${{ steps.behave.outcome }}" == "success" ]]; then
+            tests_result="PASSED"
+          else
+            tests_result="FAILED"
+          fi
+          cat > test-result-predicate.json <<JSONEOF
+          {
+            "result": "${tests_result}",
+            "configuration": [{
+              "uri": "https://github.com/${{ github.repository }}/blob/${{ github.sha }}/.github/workflows/test.yml",
+              "digest": {"gitCommit": "${{ github.sha }}"}
+            }],
+            "url": "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+          }
+          JSONEOF
+
+      - name: Verify subject artifact exists
+        if: steps.download-source.outcome == 'success'
+        run: |
+          if [ ! -f source.tar.gz ]; then
+            echo "Error: source.tar.gz not found after artifact download" >&2
+            exit 1
+          fi
+
+      - name: Attest test results
+        if: steps.download-source.outcome == 'success'
+        uses: actions/attest@59d89421af93a897026c735860bf21b6eb4f7b26 # v4.1.0
+        with:
+          subject-path: source.tar.gz
+          predicate-type: https://in-toto.io/attestation/test-result/v0.1
+          predicate-path: test-result-predicate.json

doc/tutorials/installation.rst

@@ -91,9 +91,10 @@ Run the following command to verify the installation
 Verifying release integrity
 ---------------------------
 
-Every dfetch release carries cryptographic attestations signed by GitHub Actions
-and anchored in `Sigstore <https://www.sigstore.dev/>`_. There are two
-complementary kinds:
+Every dfetch release has cryptographic attestations signed by GitHub Actions
+and anchored in `Sigstore <https://www.sigstore.dev/>`_, all published in the
+`attestation registry <https://github.com/dfetch-org/dfetch/attestations>`_.
+There are four complementary kinds:
 
 - **SLSA build provenance** — answers *"where did this come from?"*: proves the
   artifact was produced from the official source commit by the official CI
@@ -104,11 +105,15 @@ complementary kinds:
   independently verified?"*: records that the source archive for this commit was
   attested and verified before the binary was produced, linking source-level
   trust to the binary package.
+- **Test result attestation** (in-toto) — answers *"did the source pass its tests?"*:
+  records that the full CI test suite ran against this exact source archive and every
+  check passed, before any binary was produced.
 
-Binary installers carry **all three** kinds of attestation when source
+Binary installers have **build provenance, SBOM, and VSA** attestations when source
 provenance verification passes (signed by ``build.yml``).
-Python packages installed from PyPI carry an **SBOM attestation only** (signed by
+Python packages installed from PyPI have an **SBOM attestation only** (signed by
 ``python-publish.yml``).
+The source archive has a **test result attestation** (signed by ``test.yml``).
 
 To verify, use the `GitHub CLI <https://cli.github.com/>`_. Pass
 ``--predicate-type`` to target one kind specifically; omit it to accept either.
@@ -241,6 +246,21 @@ To verify, use the `GitHub CLI <https://cli.github.com/>`_. Pass
                 --cert-identity https://github.com/dfetch-org/dfetch/.github/workflows/python-publish.yml@refs/tags/v<version> `
                 --cert-oidc-issuer https://token.actions.githubusercontent.com
 
+**Source archive — verify test results:**
+
+The test result attestation proves the full CI suite passed on that exact source
+before any binary was produced.
+To verify locally, download ``source.tar.gz`` from the *Artifacts* section of the
+release CI run, then run:
+
+.. code-block:: bash
+
+    $ gh attestation verify source.tar.gz \
+        --repo dfetch-org/dfetch \
+        --predicate-type https://in-toto.io/attestation/test-result/v0.1 \
+        --cert-identity https://github.com/dfetch-org/dfetch/.github/workflows/test.yml@refs/tags/v<version> \
+        --cert-oidc-issuer https://token.actions.githubusercontent.com
+
 See `GitHub artifact attestations`_ for details.
 
 .. note::