libhalo/.github/workflows/prod_integrity_check.yml

name: Integrity check

on:
  push:
    branches:
      - master
  schedule:
    - cron: '37 21 * * *'

jobs:
  integrity_npmjs:
    name: Integrity check (npmjs)
    runs-on: ubuntu-latest
    steps:
      - name: Install cosign
        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65
      - name: Get latest version from npm
        id: get-latest-npm
        run: |
          curl -s -o "$RUNNER_TEMP/package-npm.json" https://registry.npmjs.org/@arx-research/libhalo/latest
          NPM_LATEST_VER=$(cat "$RUNNER_TEMP/package-npm.json" | jq --raw-output '.version' | tr -d '\n')
          NPM_HASH=$(cat "$RUNNER_TEMP/package-npm.json" | jq --raw-output '.dist.integrity' | tr -d '\n')
          echo "NPM_LATEST_VER=$NPM_LATEST_VER" >> $GITHUB_ENV
          echo "NPM_HASH=$NPM_HASH" >> $GITHUB_ENV
      - name: Check cosign signature
        run: |
          curl -s -o "$RUNNER_TEMP/release_info.json" https://api.github.com/repos/arx-research/libhalo/releases/tags/libhalo-v${NPM_LATEST_VER}
          COMMIT_HASH=$(cat "$RUNNER_TEMP/release_info.json" | jq --raw-output '.target_commitish' | tr -d '\n')
          curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${NPM_LATEST_VER}/libhalo-npm-hash.txt"
          curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.pem" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${NPM_LATEST_VER}/libhalo-npm-hash.txt-keyless.pem"
          curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.sig" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${NPM_LATEST_VER}/libhalo-npm-hash.txt-keyless.sig"
          cosign verify-blob \
            --cert "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.pem" \
            --signature "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.sig" \
            --certificate-identity "https://github.com/arx-research/libhalo/.github/workflows/prod_build_lib.yml@refs/tags/libhalo-v${NPM_LATEST_VER}" \
            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
            --certificate-github-workflow-sha "$COMMIT_HASH" \
            "$RUNNER_TEMP/libhalo-npm-hash.txt"
          echo "Verified ${NPM_LATEST_VER} with commit ID: ${COMMIT_HASH}"
      - name: Verify integrity hash on npmjs
        run: |
          OUR_HASH=$(cat "$RUNNER_TEMP/libhalo-npm-hash.txt" | tr -d '\n')
          echo "Our hash: $OUR_HASH"
          echo "NPM hash: $NPM_HASH"
          [[ "$NPM_HASH" == "$OUR_HASH" ]]
  integrity_gh:
    name: Integrity check (GitHub Packages)
    runs-on: ubuntu-latest
    permissions:
      packages: read
    steps:
      - name: Install cosign
        uses: sigstore/cosign-installer@c3667d99424e7e6047999fb6246c0da843953c65
      - name: Get latest version from npm
        id: get-latest-gh
        run: |
          curl -s -L -o "$RUNNER_TEMP/package-gh.json" \
            -H "Accept: application/vnd.github+json" \
            -H "Authorization: Bearer ${{ secrets.GITHUB_TOKEN }}" \
            -H "X-GitHub-Api-Version: 2022-11-28" \
            https://npm.pkg.github.com/@arx-research%2flibhalo
          GH_LATEST_VER=$(cat "$RUNNER_TEMP/package-gh.json" | jq --raw-output '.["dist-tags"].latest' | tr -d '\n')
          NPM_HASH=$(cat "$RUNNER_TEMP/package-gh.json" | jq --raw-output ".versions[\"${GH_LATEST_VER}\"].dist.integrity" | tr -d '\n')
          echo "GH_LATEST_VER=$GH_LATEST_VER" >> $GITHUB_ENV
          echo "NPM_HASH=$NPM_HASH" >> $GITHUB_ENV
      - name: Check cosign signature
        run: |
          curl -s -o "$RUNNER_TEMP/release_info.json" https://api.github.com/repos/arx-research/libhalo/releases/tags/libhalo-v${GH_LATEST_VER}
          COMMIT_HASH=$(cat "$RUNNER_TEMP/release_info.json" | jq --raw-output '.target_commitish' | tr -d '\n')
          curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${GH_LATEST_VER}/libhalo-npm-hash.txt"
          curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.pem" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${GH_LATEST_VER}/libhalo-npm-hash.txt-keyless.pem"
          curl -s -L -o "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.sig" "https://github.com/arx-research/libhalo/releases/download/libhalo-v${GH_LATEST_VER}/libhalo-npm-hash.txt-keyless.sig"
          cosign verify-blob \
            --cert "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.pem" \
            --signature "$RUNNER_TEMP/libhalo-npm-hash.txt-keyless.sig" \
            --certificate-identity "https://github.com/arx-research/libhalo/.github/workflows/prod_build_lib.yml@refs/tags/libhalo-v${GH_LATEST_VER}" \
            --certificate-oidc-issuer https://token.actions.githubusercontent.com \
            --certificate-github-workflow-sha "$COMMIT_HASH" \
            "$RUNNER_TEMP/libhalo-npm-hash.txt"
          echo "Verified ${GH_LATEST_VER} with commit ID: ${COMMIT_HASH}"
      - name: Verify integrity hash on npmjs
        run: |
          OUR_HASH=$(cat "$RUNNER_TEMP/libhalo-npm-hash.txt" | tr -d '\n')
          echo "Our hash: $OUR_HASH"
          echo "NPM hash: $NPM_HASH"
          [[ "$NPM_HASH" == "$OUR_HASH" ]]