feat: automate artifact release attestation

Cargo.toml

@@ -42,6 +42,7 @@ base64 = "0.22.1"
 thiserror = "2"
 uuid = { version = "1", features = ["v4"] }
 git2 = { version = "0.20.4", default-features = false, features = ["vendored-libgit2"] }
+glob = "0.3"
 parking_lot = "0.12"
 schemars = "0.8"
 subtle = "2.6"

crates/auths-cli/Cargo.toml

@@ -32,6 +32,7 @@ dialoguer = "0.12.0"
 anyhow = "1"
 hex = "0.4.3"
 gethostname = "0.4"
+glob.workspace = true
 auths-core = { workspace = true, features = ["witness-server"] }
 auths-id = { workspace = true, features = ["witness-client", "indexed-storage"] }
 auths-storage = { workspace = true, features = ["backend-git"] }

crates/auths-cli/src/commands/artifact/batch_sign.rs

@@ -0,0 +1,141 @@
+//! Handler for `auths artifact batch-sign`.
+
+use anyhow::{Context, Result};
+use std::path::PathBuf;
+use std::sync::Arc;
+
+use auths_core::config::EnvironmentConfig;
+use auths_core::signing::PassphraseProvider;
+use auths_sdk::workflows::ci::batch_attest::{
+    BatchEntry, BatchEntryResult, BatchSignConfig, batch_sign_artifacts, default_attestation_path,
+};
+
+use super::file::FileArtifact;
+use crate::factories::storage::build_auths_context;
+
+/// Execute the `artifact batch-sign` command.
+///
+/// Args:
+/// * `pattern`: Glob pattern matching artifact files.
+/// * `device_key`: Device key alias for signing.
+/// * `key`: Optional identity key alias.
+/// * `attestation_dir`: Optional directory to collect attestation files.
+/// * `expires_in`: Optional TTL in seconds.
+/// * `note`: Optional note for attestations.
+/// * `repo_opt`: Optional identity repo path.
+/// * `passphrase_provider`: Passphrase provider for key decryption.
+/// * `env_config`: Environment configuration.
+///
+/// Usage:
+/// ```ignore
+/// handle_batch_sign("dist/*.tar.gz", "ci-device", None, Some(".auths/releases"), ...)?;
+/// ```
+#[allow(clippy::too_many_arguments)]
+pub fn handle_batch_sign(
+    pattern: &str,
+    device_key: &str,
+    key: Option<&str>,
+    attestation_dir: Option<PathBuf>,
+    expires_in: Option<u64>,
+    note: Option<String>,
+    repo_opt: Option<PathBuf>,
+    passphrase_provider: Arc<dyn PassphraseProvider + Send + Sync>,
+    env_config: &EnvironmentConfig,
+) -> Result<()> {
+    let repo_path = auths_id::storage::layout::resolve_repo_path(repo_opt)?;
+    let ctx = build_auths_context(&repo_path, env_config, Some(passphrase_provider))?;
+
+    let paths = expand_glob(pattern)?;
+    if paths.is_empty() {
+        println!("No files match pattern: {}", pattern);
+        return Ok(());
+    }
+
+    let entries: Vec<BatchEntry> = paths
+        .iter()
+        .map(|p| BatchEntry {
+            source: Arc::new(FileArtifact::new(p)),
+            output_path: default_attestation_path(p),
+        })
+        .collect();
+
+    println!("Signing {} artifact(s)...", entries.len());
+
+    let config = BatchSignConfig {
+        entries,
+        device_key: device_key.to_string(),
+        identity_key: key.map(|s| s.to_string()),
+        expires_in,
+        note,
+    };
+
+    let result = batch_sign_artifacts(config, &ctx)
+        .with_context(|| format!("Batch signing failed for pattern: {}", pattern))?;
+
+    // Write attestation files and collect to directory (file I/O is CLI's job)
+    for entry in &result.results {
+        if let BatchEntryResult::Signed(s) = entry {
+            std::fs::write(&s.output_path, &s.attestation_json)
+                .with_context(|| format!("Failed to write {}", s.output_path.display()))?;
+            println!(
+                "  Signed: {} (sha256:{})",
+                s.output_path.display(),
+                s.digest
+            );
+        }
+        if let BatchEntryResult::Failed(f) = entry {
+            eprintln!("  FAILED: {}: {}", f.output_path.display(), f.error);
+        }
+    }
+
+    if let Some(ref dir) = attestation_dir {
+        collect_to_dir(&result.results, dir)?;
+        println!("Collected attestations to: {}", dir.display());
+    }
+
+    println!(
+        "{} signed, {} failed",
+        result.signed_count(),
+        result.failed_count()
+    );
+
+    if result.failed_count() > 0 {
+        anyhow::bail!(
+            "{} of {} artifact(s) failed to sign",
+            result.failed_count(),
+            result.signed_count() + result.failed_count()
+        );
+    }
+
+    Ok(())
+}
+
+fn expand_glob(pattern: &str) -> Result<Vec<PathBuf>> {
+    let paths: Vec<PathBuf> = glob::glob(pattern)
+        .with_context(|| format!("Invalid glob pattern: {}", pattern))?
+        .filter_map(|entry| entry.ok())
+        .filter(|p| p.is_file())
+        .collect();
+    Ok(paths)
+}
+
+fn collect_to_dir(results: &[BatchEntryResult], dir: &std::path::Path) -> Result<()> {
+    std::fs::create_dir_all(dir)
+        .with_context(|| format!("Failed to create attestation directory: {}", dir.display()))?;
+
+    for entry in results {
+        if let BatchEntryResult::Signed(s) = entry {
+            let filename = s
+                .output_path
+                .file_name()
+                .unwrap_or_default()
+                .to_string_lossy()
+                .to_string();
+            let dst = dir.join(&filename);
+            std::fs::write(&dst, &s.attestation_json)
+                .with_context(|| format!("Failed to write {}", dst.display()))?;
+        }
+    }
+
+    Ok(())
+}

crates/auths-cli/src/commands/artifact/mod.rs

@@ -1,3 +1,4 @@
+pub mod batch_sign;
 pub mod core;
 pub mod file;
 pub mod publish;
@@ -111,6 +112,36 @@ pub enum ArtifactSubcommand {
         note: Option<String>,
     },
 
+    /// Sign multiple artifacts matching a glob pattern.
+    ///
+    /// Signs each file, writes `.auths.json` attestations, and optionally
+    /// collects them into a target directory.
+    BatchSign {
+        /// Glob pattern matching artifact files (e.g. "dist/*.tar.gz").
+        #[arg(help = "Glob pattern matching artifact files to sign.")]
+        pattern: String,
+
+        /// Local alias of the device key.
+        #[arg(long)]
+        device_key: Option<String>,
+
+        /// Local alias of the identity key. Omit for device-only CI signing.
+        #[arg(long)]
+        key: Option<String>,
+
+        /// Directory to collect attestation files into.
+        #[arg(long, value_name = "DIR")]
+        attestation_dir: Option<PathBuf>,
+
+        /// Duration in seconds until expiration.
+        #[arg(long = "expires-in", value_name = "N")]
+        expires_in: Option<u64>,
+
+        /// Optional note to embed in each attestation.
+        #[arg(long)]
+        note: Option<String>,
+    },
+
     /// Verify an artifact's signature against an Auths identity.
     Verify {
         /// Path to the artifact file to verify.
@@ -218,6 +249,33 @@ pub fn handle_artifact(
             };
             publish::handle_publish(&sig_path, package.as_deref(), &registry)
         }
+        ArtifactSubcommand::BatchSign {
+            pattern,
+            device_key,
+            key,
+            attestation_dir,
+            expires_in,
+            note,
+        } => {
+            let resolved_alias = match device_key {
+                Some(alias) => alias,
+                None => crate::commands::key_detect::auto_detect_device_key(
+                    repo_opt.as_deref(),
+                    env_config,
+                )?,
+            };
+            batch_sign::handle_batch_sign(
+                &pattern,
+                &resolved_alias,
+                key.as_deref(),
+                attestation_dir,
+                expires_in,
+                note,
+                repo_opt,
+                passphrase_provider,
+                env_config,
+            )
+        }
         ArtifactSubcommand::Verify {
             file,
             signature,

crates/auths-cli/src/commands/init/gather.rs

@@ -236,12 +236,5 @@ pub(crate) fn check_keychain_access(out: &Output) -> Result<Box<dyn KeyStorage +
 }
 
 pub(crate) fn map_ci_environment(detected: &Option<String>) -> CiEnvironment {
-    match detected.as_deref() {
-        Some("GitHub Actions") => CiEnvironment::GitHubActions,
-        Some("GitLab CI") => CiEnvironment::GitLabCi,
-        Some(name) => CiEnvironment::Custom {
-            name: name.to_string(),
-        },
-        None => CiEnvironment::Unknown,
-    }
+    auths_sdk::domains::ci::map_ci_environment(detected)
 }