fix supply chain: provenance paths to workspace, clean rebuild for .d test

- Move provenance.json from /tmp/ to workspace root so all artifact paths share the same least-common-ancestor (fixes upload-artifact creating unusable paths like /home/runner/work/.../target/release/) - Add cargo clean + rebuild before .d file tampering test to reset corrupted build state from rmeta tampering test - All downstream supply chain jobs (verify, tamper, adversarial) were failing due to the artifact path issue
2026-03-26 21:43:09 +00:00 · 2026-02-22 20:49:25 +01:00 · 2026-02-22 20:49:25 +01:00 · 9fcd08f012
commit 9fcd08f012
parent 3d73d25086
1 changed files with 15 additions and 12 deletions
--- a/.github/workflows/supply-chain-test.yml
+++ b/.github/workflows/supply-chain-test.yml
@ -92,7 +92,7 @@ jobs:
      # --- Provenance attestation ---
      - name: Generate provenance attestation
        run: |
-          cat > /tmp/provenance.json << EOF
+          cat > provenance.json << EOF
          {
            "_type": "https://in-toto.io/Statement/v0.1",
            "predicateType": "https://slsa.dev/provenance/v0.2",
@ -145,14 +145,14 @@ jobs:
          }
          EOF
          echo "Provenance attestation generated"
-          python3 -c "import json; json.load(open('/tmp/provenance.json')); print('Valid JSON')"
+          python3 -c "import json; json.load(open('provenance.json')); print('Valid JSON')"

      - name: Sign provenance attestation
        run: |
          cosign sign-blob --yes \
-            /tmp/provenance.json \
-            --output-signature /tmp/provenance.json.sig \
-            --output-certificate /tmp/provenance.json.crt
+            provenance.json \
+            --output-signature provenance.json.sig \
+            --output-certificate provenance.json.crt

      - name: Upload all artifacts
        uses: actions/upload-artifact@v4
@ -169,9 +169,9 @@ jobs:
            karapace_bom.json
            karapace_bom.json.sig
            karapace_bom.json.crt
-            /tmp/provenance.json
-            /tmp/provenance.json.sig
-            /tmp/provenance.json.crt
+            provenance.json
+            provenance.json.sig
+            provenance.json.crt

  verify-signatures:
    name: Verify Signatures & Provenance
@ -230,9 +230,9 @@ jobs:
      - name: Verify provenance attestation signature
        run: |
          cosign verify-blob \
-            artifacts/tmp/provenance.json \
-            --signature artifacts/tmp/provenance.json.sig \
-            --certificate artifacts/tmp/provenance.json.crt \
+            artifacts/provenance.json \
+            --signature artifacts/provenance.json.sig \
+            --certificate artifacts/provenance.json.crt \
            --certificate-identity-regexp 'https://github.com/marcoallegretti/karapace' \
            --certificate-oidc-issuer https://token.actions.githubusercontent.com
          echo "Provenance attestation signature: VERIFIED"
@ -241,7 +241,7 @@ jobs:
      - name: Verify provenance content matches this build
        run: |
          set -euo pipefail
-          PROV=$(cat artifacts/tmp/provenance.json)
+          PROV=$(cat artifacts/provenance.json)

          # Verify commit SHA
          PROV_SHA=$(echo "$PROV" | python3 -c "import sys,json; print(json.load(sys.stdin)['predicate']['invocation']['configSource']['digest']['sha1'])")
@ -534,6 +534,9 @@ jobs:
      - name: "Test: .d file tampering does not affect binary"
        run: |
          set -euo pipefail
+          # Clean rebuild to reset state after rmeta tampering
+          cargo clean
+          cargo build --release -p karapace-cli -p karapace-dbus
          BASELINE_HASH=$(sha256sum target/release/karapace | awk '{print $1}')
          for D_FILE in $(find target/release/deps -name 'karapace_*.d' | head -5); do
            echo "TAMPERED_MARKER" >> "$D_FILE"