codius · wilsonianb · Aug 26, 2024 · Aug 21, 2024 · Aug 22, 2024 · Aug 22, 2024
diff --git a/.github/workflows/deploy-worker.yml b/.github/workflows/deploy-worker.yml
@@ -13,24 +13,34 @@ on:
       commit:
         description: "Git commit hash"
         required: true
+      branch:
+        description: "Git branch"
+        required: true
       directory:
         description: "Directory to deploy"
         required: false
+        default: "."
 
 permissions:
   contents: read
 
 jobs:
+  notify:
+    runs-on: ubuntu-latest
+    steps:
+      - name: ${{github.event.inputs.appId}}
+        run: echo run identifier ${{ github.run_id }}
+
   deploy:
     runs-on: ubuntu-latest
+    outputs:
+      worker-script: ${{ steps.get-script.outputs.worker-script-filename }}
 
     env:
       wranglerVersion: "3.68.0"
       outDir: "codius-dist"
 
     steps:
-      - name: ${{github.event.inputs.appId}}
-        run: echo run identifier ${{ github.run_id }}
       - name: Checkout
         uses: actions/checkout@v4
         with:
@@ -44,7 +54,7 @@ jobs:
           file_path="${directory:+${directory}/}pnpm-lock.yaml"
           if [ -f "$file_path" ]; then
             echo "PNPM lock file found"
-            echo "::set-output name=setup_pnpm::true"
+            echo "setup_pnpm=true" >> "$GITHUB_OUTPUT"
           fi
 
       - name: Setup Node.js
@@ -71,8 +81,8 @@ jobs:
         id: check-custom-build
         working-directory: ${{ github.event.inputs.directory }}
         run: |
-          CUSTOM_BUILD=$(docker run -i ghcr.io/pelletier/go-toml:v2 tomljson < wrangler.toml | jq -e '.build' > /dev/null && echo "true" || echo "false")
-          echo "CUSTOM_BUILD=${CUSTOM_BUILD}" >> "$GITHUB_OUTPUT"
+          custom_build=$(docker run -i ghcr.io/pelletier/go-toml:v2 tomljson < wrangler.toml | jq -e '.build' > /dev/null && echo "true" || echo "false")
+          echo "custom-build=${custom_build}" >> "$GITHUB_OUTPUT"
 
       - name: Bundle/Build Worker
         uses: cloudflare/wrangler-action@v3
@@ -81,7 +91,7 @@ jobs:
           workingDirectory: ${{ github.event.inputs.directory }}
           command: deploy --dry-run ${{ env.OUT_DIR }} --name=${{ github.event.inputs.appId }} --dispatch-namespace ${{ github.event.inputs.dispatchNamespace }}
         env:
-          OUT_DIR: ${{ steps.check-custom-build.outputs.CUSTOM_BUILD == 'false' && format('--outdir={0}', env.outDir) || '' }}
+          OUT_DIR: ${{ steps.check-custom-build.outputs.custom-build == 'false' && format('--outdir={0}', env.outDir) || '' }}
 
       - name: Determine worker entry script
         id: get-script
@@ -90,7 +100,7 @@ jobs:
           wrangler_main=$(docker run -i ghcr.io/pelletier/go-toml:v2 tomljson < wrangler.toml | jq -r '.main')
           echo "wrangler_main: $wrangler_main"
 
-          if [ "${{ steps.check-custom-build.outputs.CUSTOM_BUILD }}" == "false" ]; then
+          if [ "${{ steps.check-custom-build.outputs.custom-build }}" == "false" ]; then
             trimmed_wrangler_main=$(echo ${wrangler_main} | sed 's|^\./||')
             echo "Custom build is false; looking for the bundled script in ${outDir} containing // ${trimmed_wrangler_main}"
             worker_script=$(grep -rl "// ${trimmed_wrangler_main}" "${{ env.outDir }}" | head -n 1)
@@ -101,11 +111,17 @@ jobs:
           fi
 
           if [ -z "$worker_script" ]; then
-            echo "Error: WORKER_SCRIPT is empty!"
+            echo "Error: Unable to find worker script!"
             exit 1
           fi
 
-          echo "WORKER_SCRIPT=${worker_script}" >> "$GITHUB_OUTPUT"
+          echo "worker-script=${worker_script}" >> "$GITHUB_OUTPUT"
+          echo "worker-script-filename=$(basename $worker_script)" >> "$GITHUB_OUTPUT"
+
+      - uses: actions/upload-artifact@v4
+        with:
+          name: ${{ github.event.inputs.appId }}
+          path: ${{ github.event.inputs.directory }}/${{ steps.get-script.outputs.worker-script }}
 
       - name: Deploy Worker
         uses: cloudflare/wrangler-action@v3
@@ -114,4 +130,36 @@ jobs:
           accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
           wranglerVersion: ${{ env.wranglerVersion }}
           workingDirectory: ${{ github.event.inputs.directory }}
-          command: deploy --no-bundle --name=${{ github.event.inputs.appId }} --dispatch-namespace ${{ github.event.inputs.dispatchNamespace }} ${{ steps.get-script.outputs.WORKER_SCRIPT }}
+          command: deploy --no-bundle --name=${{ github.event.inputs.appId }} --dispatch-namespace ${{ github.event.inputs.dispatchNamespace }} ${{ steps.get-script.outputs.worker-script }}
+
+  attest:
 webhooks.on("workflow_job.in_progress", async (data) => { 
 webhooks.on("workflow_job.completed", async (data) => { 
 webhooks.on("workflow_job.in_progress", async (data) => { 
 webhooks.on("workflow_job.completed", async (data) => { 
+    needs: deploy
+    runs-on: ubuntu-latest
+
+    permissions:
+      id-token: write
+      attestations: write
+
+    steps:
+      - name: Download worker script
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ github.event.inputs.appId }}
+
+      - uses: actions/attest-build-provenance/predicate@d58ddf9f241cd8163408934540d01c3335864d64 # predicate@1.1.2
+        id: generate-build-provenance-predicate
+
+      - name: Update Predicate JSON
+        id: update-predicate
+        run: |
+          uri="git+https://github.com/${{ github.event.inputs.repo }}@refs/heads/${{ github.event.inputs.branch }}"
+          resolved_dependencies=$(jq -n --arg uri "$uri" --arg commit "${{ github.event.inputs.commit }}" --arg path "${{ github.event.inputs.directory }}" '[{"uri": $uri, "digest": {"gitCommit": $commit}, "path": $path}]')
+          predicate=$(echo '${{ steps.generate-build-provenance-predicate.outputs.predicate }}' | jq -c '.buildDefinition.externalParameters.resolvedDependencies = $resolved_dependencies' --argjson resolved_dependencies "$resolved_dependencies")
+          echo "predicate=$predicate" >> $GITHUB_OUTPUT
+
+      - uses: actions/attest@2da0b136720d14f01f4dbeeafd1d5a4d76cbe21d # v1.4.0
+        id: attest
+        with:
+          subject-path: ${{ needs.deploy.outputs.worker-script }}
+          predicate-type: ${{ steps.generate-build-provenance-predicate.outputs.predicate-type }}
+          predicate: ${{ steps.update-predicate.outputs.predicate }}
diff --git a/packages/codius-astro/README.md b/packages/codius-astro/README.md
@@ -25,7 +25,7 @@ pnpm --filter codius-astro d1 migrations apply <your-d1-db-name> --remote
 > **Note:** Rollback local migrations by deleting the state files with the following command:
 >
 > ```bash
-> rm .wrangler/state/v3/d1/miniflare-D1DatabaseObject/*
+> rm packages/codius-astro/.wrangler/state/v3/d1/miniflare-D1DatabaseObject/*
 > ```
 
 ### Environment Variables

diff --git a/packages/codius-astro/assets/webhook-event.png b/packages/codius-astro/assets/webhook-event.png
diff --git a/packages/codius-astro/drizzle/0001_fearless_captain_flint.sql b/packages/codius-astro/drizzle/0001_fearless_captain_flint.sql
@@ -0,0 +1,2 @@
+CREATE INDEX `idx_apps_github_workflow_run_id` ON `apps` (`github_workflow_run_id`);--> statement-breakpoint
+ALTER TABLE `apps` DROP COLUMN `github_workflow_job_id`;
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		CREATE INDEX `idx_apps_github_workflow_run_id` ON `apps` (`github_workflow_run_id`);--> statement-breakpoint
		ALTER TABLE `apps` DROP COLUMN `github_workflow_job_id`;