chore: slsa publishing flow for npm (#34)

* chore: slsa publishing flow for npm

Signed-off-by: Sam Gammon <[email protected]>

* chore: build fixes, buildbuddy, faster bazel builds

Signed-off-by: Sam Gammon <[email protected]>

* fix: file structure for js packages

Signed-off-by: Sam Gammon <[email protected]>

* fix: download built artifacts

Signed-off-by: Sam Gammon <[email protected]>

* fix: provide publish token

Signed-off-by: Sam Gammon <[email protected]>

* fix: publishing workflows

Signed-off-by: Sam Gammon <[email protected]>

* chore: ability to override registry for npm publish

Signed-off-by: Sam Gammon <[email protected]>

* build(deps-dev): bump @types/node from 20.11.28 to 20.11.29

Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 20.11.28 to 20.11.29.
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

---
updated-dependencies:
- dependency-name: "@types/node"
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump actions/deploy-pages from 4.0.4 to 4.0.5

Bumps [actions/deploy-pages](https://github.com/actions/deploy-pages) from 4.0.4 to 4.0.5.
- [Release notes](https://github.com/actions/deploy-pages/releases)
- [Commits](actions/deploy-pages@decdde0...d6db901)

---
updated-dependencies:
- dependency-name: actions/deploy-pages
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump actions/checkout from 3.6.0 to 4.1.2

Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.1.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](actions/checkout@v3.6.0...9bb5618)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <[email protected]>

* build(deps): bump ruby/setup-ruby from 1.161.0 to 1.172.0

Bumps [ruby/setup-ruby](https://github.com/ruby/setup-ruby) from 1.161.0 to 1.172.0.
- [Release notes](https://github.com/ruby/setup-ruby/releases)
- [Commits](ruby/setup-ruby@8575951...d4526a5)

---
updated-dependencies:
- dependency-name: ruby/setup-ruby
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <[email protected]>

* fix: publishing upload condition

Signed-off-by: Sam Gammon <[email protected]>

* chore: update lockfiles

Signed-off-by: Sam Gammon <[email protected]>

* fix: unconditionally upload assets for release

Signed-off-by: Sam Gammon <[email protected]>

---------

Signed-off-by: Sam Gammon <[email protected]>
Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: sgammon

.bazelrc

@@ -0,0 +1,3 @@
+
+import tools/bazel.rc
+

.github/bazel.rc

@@ -0,0 +1,28 @@
+common --announce_rc
+common --enable_platform_specific_config
+common --experimental_isolated_extension_usages
+
+build:buildbuddy-ci --bes_results_url=https://skunkworks.buildbuddy.io/invocation/
+build:buildbuddy-ci --bes_backend=grpcs://skunkworks.buildbuddy.io
+build:buildbuddy-ci --remote_cache=grpcs://skunkworks.buildbuddy.io
+build:buildbuddy-ci --remote_timeout=3600
+build:buildbuddy-ci --noslim_profile
+build:buildbuddy-ci --nolegacy_important_outputs
+
+build:buildbuddy-ci --experimental_remote_cache_compression
+build:buildbuddy-ci --experimental_remote_build_event_upload=minimal
+build:buildbuddy-ci --experimental_profile_include_target_label
+build:buildbuddy-ci --experimental_profile_include_primary_output 
+build:buildbuddy-ci --experimental_inmemory_jdeps_files
+build:buildbuddy-ci --experimental_inmemory_dotd_files
+
+build:remote-exec --remote_executor=grpcs://skunkworks.buildbuddy.io
+
+build --config=buildbuddy-ci
+
+build:ci-metadata --build_metadata=ROLE=CI
+build:ci-metadata --build_metadata=HOST=gha
+build:ci-metadata --build_metadata=VISIBILITY=PUBLIC
+build:ci-metadata --build_metadata=REPO_URL=https://github.com/elide-dev/jpms.git
+
+build --config=ci-metadata

.github/bazel.workspace

@@ -0,0 +1,5 @@
+http_archive(
+    name = "rbe_default",
+    sha256 = "cdffa3b0fbf72c361d10937c41f2ca2274efd234e3757b011b48ac0ced13be03",
+    url = "https://dl.less.build/toolchains/bazel/rbe/elidecloud-v4a-ubuntu23.10.tgz",
+)

.github/codecov.yml

@@ -33,6 +33,7 @@ github_checks:
   annotations: true
 
 ignore:
+  - "jdk"
   - "samples"
   - "tools/processor"
   - "tools/substrate/injekt"

.github/workflows/ci.build-test.yml

@@ -11,6 +11,9 @@ name: "Build & Test"
       CODECOV_TOKEN:
         description: "Codecov Token"
         required: false
+      BUILDBUDDY_APIKEY:
+        description: "BuildBuddy API Key"
+        required: false
 
   workflow_dispatch: {}
 
@@ -62,6 +65,12 @@ jobs:
             .m2
             ~/.cache/bazel
           key: jpms-attic-v1-${{ runner.os }}
+      - name: "Setup: BuildBuddy"
+        run: echo "build --remote_header=x-buildbuddy-api-key=$BUILDBUDDY_KEY" >> ./.github/bazel.rc
+        env:
+          BUILDBUDDY_KEY: ${{ secrets.BUILDBUDDY_APIKEY }}
+      - name: "Setup: Bazel Configuration"
+        run: cp -fv ./.github/bazel.rc ./tools/bazel.rc
       - name: "Build & Test Repository"
         run: make TESTS=${{ inputs.tests && 'yes' || 'no' }} SIGNING=no JAVADOC=no SNAPSHOT=yes
       - name: "Reporting: Code Coverage"
@@ -70,6 +79,8 @@ jobs:
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           slug: elide-dev/jpms
+          flags: packages
+          verbose: true
       - name: "Build: Packages"
         run: pnpm run -r pack
       - name: "Artifact: Packages"

.github/workflows/ci.publish-package.yml

@@ -0,0 +1,217 @@
+name: "Publish: Package"
+
+on:
+  workflow_call:
+    inputs:
+      package:
+        description: "Package"
+        type: string
+        required: true
+      registry:
+        description: "Registry"
+        type: string
+        default: 'https://registry.npmjs.org'
+      dry-run:
+        description: "Dry Run"
+        type: boolean
+        default: false
+      release:
+        description: "Release to GitHub"
+        type: boolean
+        default: false
+      tag:
+        description: "Release: Tag"
+        type: string
+      draft:
+        description: "Release: Draft"
+        type: boolean
+      prerelease:
+        description: "Release: Pre-release"
+        type: boolean
+      release-name:
+        description: "Release: Name"
+        type: string
+      release-generate:
+        description: "Release: Generate Notes"
+        type: boolean
+      release-latest:
+        description: "Release: Latest"
+        type: boolean
+
+    secrets:
+      PUBLISH_TOKEN:
+        description: "Publishing Token"
+        required: true
+
+  workflow_dispatch:
+    inputs:
+      package:
+        description: "Package"
+        type: choice
+        required: true
+        options:
+        - java
+        - maven
+        - gradle
+        - indexer
+      dry-run:
+        description: "Dry Run"
+        type: boolean
+        default: false
+      registry:
+        description: "Registry"
+        type: string
+        default: 'https://registry.npmjs.org'
+      release:
+        description: "Release to GitHub"
+        type: boolean
+        default: false
+      tag:
+        description: "Release Tag"
+        type: string
+      draft:
+        description: "Release: Draft"
+        type: boolean
+      prerelease:
+        description: "Release: Pre-release"
+        type: boolean
+      release-name:
+        description: "Release: Name"
+        type: string
+      release-generate:
+        description: "Release: Generate Notes"
+        type: boolean
+      release-latest:
+        description: "Release: Latest"
+        type: boolean
+
+jobs:
+  build:
+    name: "Package: Build (${{ inputs.package }})"
+    runs-on: ubuntu-latest
+    outputs:
+      hashes: ${{ steps.hash.outputs.hashes }}
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: "Setup: Harden Runner"
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+      - name: "Setup: Checkout"
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # v4.1.2
+        with:
+          persist-credentials: false
+      - name: "Setup: Node"
+        uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+        with:
+          node-version: ${{ vars.NODE_VERSION || '21' }}
+          registry-url: 'https://registry.npmjs.org'
+      - name: "Setup: PNPM"
+        uses: pnpm/action-setup@a3252b78c470c02df07e9d59298aecedc3ccdd6d # v3.0.0
+        with:
+          version: ${{ vars.PNPM_VERSION || '8' }}
+          run_install: |
+            - recursive: true
+              args: [--frozen-lockfile, --strict-peer-dependencies]
+      - name: "Build: Package (${{ inputs.package }})"
+        run: cd packages/${{ inputs.package }} && pnpm pack
+      - name: "Build: Provenance Hashes"
+        shell: bash
+        id: hash
+        run: |
+          echo "Release assets:"
+          ls -la packages/*/*.tgz
+          file packages/*/*.tgz
+          du -h packages/*/*.tgz
+          echo ""
+
+          sha256sum packages/*/*.tgz > ./packages/${{ inputs.package }}/pkg-hashes.txt
+          echo "Hashes:"
+          cat ./packages/${{ inputs.package }}/pkg-hashes.txt
+          echo ""
+
+          cat ./packages/${{ inputs.package }}/pkg-hashes.txt | base64 -w0 > ./packages/${{ inputs.package }}/pkg-hashes-encoded.txt
+          echo "Encoded Hashes:"
+          cat ./packages/${{ inputs.package }}/pkg-hashes-encoded.txt
+          echo ""
+
+          echo "hashes=$(cat ./packages/${{ inputs.package }}/pkg-hashes-encoded.txt)" >> "$GITHUB_OUTPUT"
+      - name: "Artifact: Packages"
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
+        with:
+          name: javamodules-pkg-${{ inputs.package }}-${{ github.sha }}
+          retention-days: 30
+          compression-level: 1
+          overwrite: true
+          path: |
+            packages/${{ inputs.package }}/*.tgz
+            packages/${{ inputs.package }}/pkg-hashes.txt
+            packages/${{ inputs.package }}/pkg-hashes-encoded.txt
+
+  provenance:
+    name: "SLSA Provenance (${{ inputs.package }})"
+    needs: [build]
+    uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+    permissions:
+      actions: read
+      id-token: write
+      contents: write
+    with:
+      base64-subjects: "${{ needs.build.outputs.hashes }}"
+      upload-assets: true
+
+  release:
+    name: "Release to GitHub (${{ inputs.package }})"
+    needs: [build, provenance]
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/') || inputs.release
+    steps:
+      - name: "Artifact: Package"
+        id: releaseArtifact
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: javamodules-pkg-${{ inputs.package }}-${{ github.sha }}
+      - name: "Artifact: Provenance"
+        id: provenanceArtifact
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: ${{ needs.provenance.outputs.provenance-name }}
+      - name: "Publish: Release"
+        uses: softprops/action-gh-release@d99959edae48b5ffffd7b00da66dcdb0a33a52ee # v2.0.2
+        with:
+          draft: ${{ inputs.draft }}
+          prerelease: ${{ inputs.prerelease }}
+          name: ${{ inputs.release-name }}
+          tag_name: ${{ inputs.tag || github.ref }}
+          generate_release_notes: ${{ inputs.release-generate }}
+          append_body: true
+          files: |
+            ${{ steps.releaseArtifact.outputs.download-path }}
+            ${{ steps.provenanceArtifact.outputs.download-path }}
+
+  publish-npm:
+    name: "Publish to Registry (${{ inputs.package }})"
+    needs: [build, provenance, release]
+    runs-on: ubuntu-latest
+    if: startsWith(github.ref, 'refs/tags/') || inputs.release
+    permissions:
+      id-token: write
+      contents: write
+      packages: write
+    steps:
+      - name: "Artifact: Package"
+        id: releaseArtifact
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: javamodules-pkg-${{ inputs.package }}-${{ github.sha }}
+      - name: "Artifact: Provenance"
+        id: provenanceArtifact
+        uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
+        with:
+          name: ${{ needs.provenance.outputs.provenance-name }}
+      - name: "Publish to Registry"
+        run: cd packages/${{ inputs.package }} && pnpm run ${{ inputs.dry-run && 'publish:dry' || 'publish:live' }} --registry=${{ inputs.registry }}
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_PUBLISH_TOKEN }}