Support artifact attestations verification

2026-04-18 20:02:36 +08:00 · 2026-03-21 04:30:53 +09:00
parent 68bba89805
commit 8418e9f725
22 changed files with 2654 additions and 324 deletions
--- a/tools/codegen/base/biome.json
+++ b/tools/codegen/base/biome.json
@@ -2,8 +2,16 @@
  "repository": "https://github.com/biomejs/biome",
  "website": "https://biomejs.dev",
  "license_markdown": "[Apache-2.0](https://github.com/biomejs/biome/blob/main/LICENSE-APACHE) OR [MIT](https://github.com/biomejs/biome/blob/main/LICENSE-MIT)",
-  "tag_prefix": "cli/v",
+  "tag_prefix": ["@biomejs/biome@", "cli/v"],
  "bin": "${package}${exe}",
+  "signing": {
+    "version_range": ">= 2.3.9",
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "${repo}/.github/workflows/release.yml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_gnu": {
      "asset_name": "${package}-linux-x64"
--- a/tools/codegen/base/cargo-cyclonedx.json
+++ b/tools/codegen/base/cargo-cyclonedx.json
@@ -4,6 +4,14 @@
  "rust_crate": "${package}",
  "bin": "${package}-${rust_target}/${package}${exe}",
  "version_range": ">= 0.5.0",
+  "signing": {
+    "version_range": ">= 0.5.4",
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "${repo}/.github/workflows/release.yml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_gnu": {
      "asset_name": "${package}-linux-amd64.tar.gz"
--- a/tools/codegen/base/cargo-hack.json
+++ b/tools/codegen/base/cargo-hack.json
@@ -8,6 +8,14 @@
    "${package}-${rust_target}.zip",
    "${package}-v${version}-${rust_target}.zip"
  ],
+  "signing": {
+    "version_range": ">= 0.6.44",
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "taiki-e/github-actions/.github/workflows/rust-release.yml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_gnu": {},
    "x86_64_linux_musl": {},
--- a/tools/codegen/base/cargo-llvm-cov.json
+++ b/tools/codegen/base/cargo-llvm-cov.json
@@ -3,6 +3,14 @@
  "tag_prefix": "v",
  "rust_crate": "${package}",
  "asset_name": "${package}-${rust_target}.tar.gz",
+  "signing": {
+    "version_range": ">= 0.8.5",
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "taiki-e/github-actions/.github/workflows/rust-release.yml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_musl": {},
    "x86_64_macos": {},
--- a/tools/codegen/base/cargo-minimal-versions.json
+++ b/tools/codegen/base/cargo-minimal-versions.json
@@ -3,6 +3,14 @@
  "tag_prefix": "v",
  "rust_crate": "${package}",
  "asset_name": "${package}-${rust_target}.tar.gz",
+  "signing": {
+    "version_range": ">= 0.1.37",
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "taiki-e/github-actions/.github/workflows/rust-release.yml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_musl": {},
    "x86_64_macos": {},
--- a/tools/codegen/base/cargo-no-dev-deps.json
+++ b/tools/codegen/base/cargo-no-dev-deps.json
@@ -3,6 +3,14 @@
  "tag_prefix": "v",
  "rust_crate": "${package}",
  "asset_name": "${package}-${rust_target}.tar.gz",
+  "signing": {
+    "version_range": ">= 0.2.23",
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "taiki-e/github-actions/.github/workflows/rust-release.yml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_musl": {},
    "x86_64_macos": {},
--- a/tools/codegen/base/martin.json
+++ b/tools/codegen/base/martin.json
@@ -6,6 +6,13 @@
  "asset_name": "${package}-${rust_target}.tar.gz",
  "bin": ["${package}${exe}", "${package}-cp${exe}"],
  "version_range": ">= 1.0.0",
+  "signing": {
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "${repo}/.github/workflows/ci.yml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_musl": {},
    "x86_64_macos": {},
--- a/tools/codegen/base/parse-changelog.json
+++ b/tools/codegen/base/parse-changelog.json
@@ -6,6 +6,14 @@
    "${package}-${rust_target}.tar.gz",
    "${package}-${rust_target}.zip"
  ],
+  "signing": {
+    "version_range": ">= 0.6.16",
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "taiki-e/github-actions/.github/workflows/rust-release.yml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_gnu": {},
    "x86_64_linux_musl": {},
--- a/tools/codegen/base/parse-dockerfile.json
+++ b/tools/codegen/base/parse-dockerfile.json
@@ -3,6 +3,14 @@
  "tag_prefix": "v",
  "rust_crate": "${package}",
  "asset_name": "${package}-${rust_target}.tar.gz",
+  "signing": {
+    "version_range": ">= 0.1.5",
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "taiki-e/github-actions/.github/workflows/rust-release.yml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_musl": {},
    "x86_64_macos": {},
--- a/tools/codegen/base/prek.json
+++ b/tools/codegen/base/prek.json
@@ -6,6 +6,14 @@
  "asset_name": "${package}-${rust_target}.tar.gz",
  "bin": "${package}-${rust_target}/${package}${exe}",
  "version_range": ">= 0.2.20",
+  "signing": {
+    "version_range": ">= 0.3.1",
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "${repo}/.github/workflows/release.yml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_musl": {},
    "x86_64_macos": {},
--- a/tools/codegen/base/trivy.json
+++ b/tools/codegen/base/trivy.json
@@ -3,6 +3,14 @@
  "tag_prefix": "v",
  "bin": "${package}${exe}",
  "version_range": ">= 0.62.0",
+  "signing": {
+    "version_range": ">= 0.69.4",
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "${repo}/.github/workflows/reusable-release.yaml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_gnu": {
      "asset_name": "${package}_${version}_Linux-64bit.tar.gz"
--- a/tools/codegen/base/uv.json
+++ b/tools/codegen/base/uv.json
@@ -3,6 +3,14 @@
  "license_markdown": "[Apache-2.0](https://github.com/astral-sh/uv/blob/main/LICENSE-APACHE) OR [MIT](https://github.com/astral-sh/uv/blob/main/LICENSE-MIT)",
  "tag_prefix": "",
  "version_range": ">= 0.8.16",
+  "signing": {
+    "version_range": ">= 0.9.13",
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "${repo}/.github/workflows/release.yml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_musl": {
      "asset_name": "${package}-x86_64-unknown-linux-musl.tar.gz",
--- a/tools/codegen/base/wash.json
+++ b/tools/codegen/base/wash.json
@@ -3,6 +3,14 @@
  "tag_prefix": "wash-v",
  "rust_crate": "${package}",
  "asset_name": "${package}-${rust_target}${exe}",
+  "signing": {
+    "version_range": ">= 2.0.0",
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "${repo}/.github/workflows/wash.yml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_musl": {},
    "x86_64_macos": {},
--- a/tools/codegen/base/wasmtime.json
+++ b/tools/codegen/base/wasmtime.json
@@ -4,6 +4,14 @@
  "rust_crate": "${package}-cli",
  "asset_name": "${package}-v${version}-${rust_target_arch}-${rust_target_os}.tar.xz",
  "bin": "${package}-v${version}-${rust_target_arch}-${rust_target_os}/${package}${exe}",
+  "signing": {
+    "version_range": ">= 28.0.0",
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "${repo}/.github/workflows/publish-artifacts.yml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_gnu": {},
    "x86_64_macos": {},
--- a/tools/codegen/base/zizmor.json
+++ b/tools/codegen/base/zizmor.json
@@ -4,6 +4,13 @@
  "rust_crate": "${package}",
  "asset_name": "${package}-${rust_target}.tar.gz",
  "version_range": ">= 1.9.0",
+  "signing": {
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "${repo}/.github/workflows/release-binaries.yml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_gnu": {},
    "x86_64_macos": {},
--- a/tools/codegen/base/zola.json
+++ b/tools/codegen/base/zola.json
@@ -2,6 +2,14 @@
  "repository": "https://github.com/getzola/zola",
  "tag_prefix": "v",
  "asset_name": "${package}-v${version}-${rust_target}.tar.gz",
+  "signing": {
+    "version_range": ">= 0.20.0",
+    "kind": {
+      "gh-attestation": {
+        "signer-workflow": "${repo}/.github/workflows/release.yml"
+      }
+    }
+  },
  "platform": {
    "x86_64_linux_gnu": {},
    "x86_64_linux_musl": {},